Maven Central signatures

Jan 1, 0001

Definition

Maven Central signatures refer to cryptographic signatures used to verify the integrity and authenticity of artifacts downloaded from the Maven Central Repository. These signatures are typically generated using PGP (Pretty Good Privacy) keys and accompany the artifacts in the form of .asc files. Verifying these signatures ensures that the artifacts have not been tampered with and originate from a trusted source.

Secure Settings Example

<project>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-gpg-plugin</artifactId>
        <version>1.6</version>
        <executions>
          <execution>
            <id>sign-artifacts</id>
            <phase>verify</phase>
            <goals>
              <goal>sign</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</project>

Insecure Settings Example

<project>
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-gpg-plugin</artifactId>
        <version>1.6</version>
        <executions>
          <execution>
            <id>sign-artifacts</id>
            <phase>none</phase> <!-- Incorrect phase, signing is not executed -->
            <goals>
              <goal>sign</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
</project>

Maven Central signatures

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter