Hacker News new | ask | show | jobs
by pron 4141 days ago
Well, to be fair, any public Maven repo is a MITM opportunity.
1 comments
teacup50 4141 days ago
Maven artifacts can be GPG signed; GPG signing is required for Maven central.

It would be irresponsible to use a service like this to build binary JARs that you then signed and uploaded with your own signature guaranteeing their providence.

link
jermo 4141 days ago
Releases have to be PGP signed, snapshot's don't.

How many people do you know that verify PGP signatures of their artifacts? Do you?

link
teacup50 4140 days ago
Yes, we verify signatures at our middleware repository cache.
link
pron 4140 days ago
Really? Impressive! Where do you get the public keys? Most projects hosted on Maven Central don't publish them on their website.
link
teacup50 4139 days ago
http://blog.sonatype.com/2009/04/nexus-133-introduces-automa...
link
pron 4139 days ago
But unless the signers have a public certificate, or publish their public keys on their website (which you need to obtain manually), the signatures on Maven Central can be just as fake as the artifacts.
link