search

spring-projects / spring-data-commons

Spring Data Commons. Interfaces and code shared between the various datastore specific implementations.
https://spring.io/projects/spring-data
Apache License 2.0
778 stars 675 forks source link

PGP signature invalid #3184

Closed ilatypov closed 1 day ago

ilatypov commented 2 weeks ago 
$ mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
[...]
[ERROR] org.springframework.data:spring-data-jpa:pom:2.7.1 PGP Signature INVALID
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <mpaluch@vmware.com>]
[...]
[ERROR] org.springframework.data:spring-data-commons:pom:2.7.1 PGP Signature INVALID
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <mpaluch@vmware.com>]

in https://github.com/WebGoat/WebGoat/commit/8db9ff3

mp911de commented 2 weeks ago

If you would like us to spend some time helping you to diagnose the problem, please spend some time describing it and, ideally, providing what you expect.

ilatypov commented 2 weeks ago

Perhaps, an unexpected "sub" key was used automatically when signing.

If you've already distributed your public key, it's better to revoke the sub signing key instead of deleting it, although either way you can make your primary key as the signing key. To revoke a sub key, use the revkey command instead of delkey.

https://central.sonatype.org/publish/requirements/gpg/#delete-a-sub-key

On the other hand, this was a recommendation to a scenario where the developer is still playing with their signatures before publishing the artifact. Since the artifact and its signature are already published, I wonder if it makes sense to somehow make the public part of that other signing key (the "sub" key, perhaps) registered with the PGP servers?

Now I realize that my own idea is futile because the keyId indicated in the JAR uniquely identifies the signing key. The last chance at finding a cause and a remediation is to assume that the keyId's signing key's public part was not published at all. Then it needs publishing. I don't know how the artifact got past Sonatype's upload gating a year ago.

https://central.sonatype.com/artifact/org.springframework.data/spring-data-commons/2.7.1

mp911de commented 2 weeks ago

Not quite sure I agree. The key has been published to the keyserver quite a while ago. Running the same command yields for me:

[INFO] Receive key: https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1
    to /Users/mpaluch/.m2/repository/pgpkeys-cache/EF/6A/EF6AD6684034B0CB67A9B5714406B84C1661DCD1.asc
[INFO] org.springframework.data:spring-data-commons:jar:2.7.1 PGP Signature OK
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <mpaluch@vmware.com>]

with a pristine Spring Boot 2.7.1 Maven project and without a configuration of the verifier plugin.

Checking the POM yields the same successful verification.

In any case, artifacts on Maven Central are immutable and the key has been published which renders the ticket non-actionable.

spring-projects-issues commented 1 week ago

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues commented 1 day ago

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.