search

s4u / pgpverify-maven-plugin

Verify Open PGP / GPG signatures plugin
https://www.simplify4u.org/pgpverify-maven-plugin/
Apache License 2.0
49 stars 20 forks source link

Verify from local keys / offline mode #394

Closed bmarwell closed 4 months ago

bmarwell commented 2 years ago

Is your feature request related to a problem? Please describe.

Not a problem, except network connections and proxies. :) When all keys are already present (e.g. .asc files or imported into the local keyring), there is no need to download keys. BUT I cannot specify the keyring file as of now.

Describe the solution you'd like

-Dverify.offline=true -Dverify.gpghomedir=$PWD or similar.

Describe alternatives you've considered

Additional context

n/a

slawekjaranowski commented 2 years ago

simply try 

mvn -o ...
bmarwell commented 2 years ago

Hey Slawomir!

That wouldn't work for my scenario. Sorry for not providing a better command. See what I am doing at the moment:

Consider the ojdbc8-production.pom (which is essentially a bom file).

GNUPGHOME="${WORKSPACE}/tmp/gnupg" \
"${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --no-transfer-progress \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:copy-dependencies \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

I now replaced it with a two step setup:

"${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --no-transfer-progress \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:go-offline \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

  "${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --offline \
    org.simplify4u.plugins:pgpverify-maven-plugin:check \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:copy-dependencies \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

Now it would fail because the pgpverirfy-plugin is not available. This is why I asked for an offline mode explicitly for this plugin.

Of course, there is a workaround. Add a third step in the middle:

"${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --no-transfer-progress \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:go-offline \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

  # dependency:get the plugin
  "${WORKSPACE:?}/mvnw" \
      --batch-mode \
      --errors \
      --no-transfer-progress \
      org.apache.maven.plugins:maven-dependency-plugin:3.3.0:get \
      "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
      "-Dartifact=org.simplify4u.plugins:pgpverify-maven-plugin:1.16.0" \
      -f "${driver_version_dir}/${artifactname}-${version}.pom"

  "${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --offline \
    org.simplify4u.plugins:pgpverify-maven-plugin:check \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:copy-dependencies \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

If that really is the intended solution, this three-step setup should be documented. That's not something an average maven user can do, I'd say.

// Edit: that doesn't even work as intended:

[INFO] Resolved 20 signature(s) in PT0.007559881S
[WARNING] No signature for com.oracle.database.jdbc:ojdbc8:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.nls:orai18n:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:ons:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xmlparserv2:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.jdbc:ucp:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:simplefan:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.security:oraclepki:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_cert:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_core:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:simplefan:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.jdbc:ucp:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:ons:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.security:oraclepki:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_core:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xdb:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_cert:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.nls:orai18n:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xdb:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xmlparserv2:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.jdbc:ojdbc8:pom:19.7.0.0
[INFO] Finished 20 artifact(s) validation in PT0.01117527S

I think the plugin does not pick up GNUPGHOME.

bmarwell commented 2 years ago

So, adding * = any of course helps. But I have to pre-fill the cache directory now as well.

It seems undocumented, but here is the layout:

.m2/repository/pgpkeys-cache/<0..*2h>/<2..*4h>/${shorthex^^}.asc. My current keys are exported using 0xlong.asc. So prefilling that directory requires additional scripting.

This will make a nice blog post, but is quite a way to set up. Maybe you could reconsider my request to use a gpg keyring? :)

slawekjaranowski commented 2 years ago

There is goal: org.simplify4u.plugins:pgpverify-maven-plugin:go-offline - should be used together with dependency-plugin:go-offline

slawekjaranowski commented 2 years ago

I think the plugin does not pick up GNUPGHOME.

Right - plugin use bcpg library not gpg executable

It seems undocumented, but here is the layout:

.m2/repository/pgpkeys-cache/<0..2h>/<2..4h>/${shorthex^^}.asc.

It is depends on information in artifacts signatures, sometime we have only long key and in other case we have full key - fingerprint So path can have long key or fingerprint.

bmarwell commented 6 months ago

OK, so again.

  1. I put all the keys into the pgpkeys-cache folder as suggested
  2. I run go-offline (which obviously doesn't work with --offline)

While running go-offline, the following thing happens (all of them are problems to me)

  1. one key does not get picked up. But even with debugging -X, the plugin doesnt show which keys it tries to resolve at which location :(
  2. It then tries to contact remote servers. I cannot disable this, because -o obviously wont work and supplying an emty list of keyservers will lead to the plugin throwing an exception.

So, why does it not find a specific key? I use the same algorithm to place all the keys.

bmarwell commented 6 months ago

OK, maybe in clear terms:

  1. I want to go offline with the keys. Going offline with the maven deps is not a goal for me.
  2. It should fail in go-offline if a key is neither found in the cache nor retrievable from the keyserver
  3. the keyserver list cannot be set to zero
  4. the keyserver timeout cannot be set.
slawekjaranowski commented 4 months ago

maybe it a little help you #546

bmarwell commented 4 months ago

maybe it a little help you #546

No, not at all too late! This is a super helpful feature whenever there will be new keys being used for e.g. DB driver jars