search

s4u / pgpverify-maven-plugin

Verify Open PGP / GPG signatures plugin
https://www.simplify4u.org/pgpverify-maven-plugin/
Apache License 2.0
49 stars 20 forks source link

Plugin fails to verify an artifact with revoked public key #557

Open fabianfrz opened 4 months ago

fabianfrz commented 4 months ago

Describe the bug It seems like the plugin is failing when the key has been revoked on the key server.

Caused by: org.bouncycastle.openpgp.PGPException: org.bouncycastle.openpgp.PGPSignatureList found where PGPPublicKeyRing expected
    at org.bouncycastle.openpgp.PGPPublicKeyRingCollection.<init> (Unknown Source)
    at org.simplify4u.plugins.pgp.PublicKeyUtils.loadPublicKeyRing (PublicKeyUtils.java:144)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.loadKeyFromFile (PGPKeysCache.java:230)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.receiveKey (PGPKeysCache.java:275)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.lambda$null$2 (PGPKeysCache.java:181)
    at org.simplify4u.plugins.keyserver.PGPKeysCache$KeyServerListOne.execute (PGPKeysCache.java:372)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.lambda$getKeyRing$b1186df7$1 (PGPKeysCache.java:181)
    at io.vavr.control.Try.of (Try.java:75)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.getKeyRing (PGPKeysCache.java:181)
    at org.simplify4u.plugins.pgp.SignatureUtils.lambda$checkSignature$91862a76$1 (SignatureUtils.java:304)
    at io.vavr.control.Try.of (Try.java:75)
    at org.simplify4u.plugins.pgp.SignatureUtils.checkSignature (SignatureUtils.java:304)
    at org.simplify4u.plugins.pgp.SignatureUtils.checkSignature (SignatureUtils.java:362)
    at org.simplify4u.plugins.CheckMojo.processArtifactSignature (CheckMojo.java:243)

To Reproduce

cd $CI_PROJECT_DIR/project/dir && mvn org.simplify4u.plugins:pgpverify-maven-plugin:1.17.0:check
        -Dpgpverify.keyserversLoadBalance=false
        -Dpgpverify.keyserver=https://keyserver.ubuntu.com
        -Dpgpverify.keysMapLocation=`pwd`/../../.mvn/keysmap.properties

Project needs to include this artifact: https://mvnrepository.com/artifact/org.springframework.plugin/spring-plugin-core/2.0.0.RELEASE

Expected behavior PGP Verify handles it as badSig or noSig as a revoked key means that the signature should not be trusted.

Additional context

Related: spring-projects/spring-plugin#102

slawekjaranowski commented 2 months ago

Please try with the latest version 1.18.2 of plugin

Please also provide a simple project which can be used to reproduce.