Home/ Questions/Q 938643
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T21:40:36+00:00

I was just pointed to a very interesting article ( archived ) about a

  • 0

I was just pointed to a very interesting article (archived) about a security problem called
Cross Build Injection (XBI). Bascially it is a fancy name for smuggling bad code
into an application at build time via automated build systems such as ant, maven or ivy.

The problem could be alleviated by introducing a cryptographic signature validation für dependencies as it is currently in place with many operating systems for downloading packages.

To be clear: I am not talking about simply providing md5 or sha1 hashes for the artifacts. That is already done, but those hashes are stored in the same location as the artifacts. So once a malicious hacker compromises the repository and can replace the artifact they can replace the hashes as well.

So what is acutally needed is some kind of PKI, that allows the developers to sign their artifacts and maven to verify these signatures. Since the signature is done using the private key of the developer it cannot be tampered with when only the repository is compromised.

Does anyone know the state of this in maven?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Update: The checksums mentioned below are indeed only for integrity checks and are indeed stored with the artifacts so they don’t answer the question.

    Actually, one need to sign artifacts using PGP to upload them to a repository that is synced with central (the Maven GPG Plugin can help for this step). To verify signatures at download time, you are invited to use a repository manager supporting this feature. From How to Generate PGP Signatures with Maven:

    If you use a tool that downloads
    artifacts from the Central Maven
    repository, you need to make sure that
    you are making an effort to validate
    that these artifacts have a valid PGP
    signature that can be verified against
    a public key server. If you don’t
    validate signatures, then you have no
    guarantee that what you are
    downloading is the original artifact.
    One way to to verify signatures on
    artifacts is to use a repository
    manager like Nexus Professional. In
    Nexus Professional you can configure
    the procurement suite to check every
    downloaded artifact for a valid PGP
    signature and validate the signature
    against a public keyserver.

    If you are developing software using
    Maven, you should generate a PGP
    signature for your releases.
    Releasing software with valid
    signatures means that your customers
    can verify that a software artifact
    was generated by the original author
    and that it hasn’t been modified by
    anyone in transit. Most large OSS
    forges like the Apache Software
    Foundation require all projects to be
    released by a release manager whose
    key has been signed by other members
    of the organization, and if you want
    to synchronize your software artifacts
    to Maven central you are required to
    provide pgp signatures.

    See also


    The Maven Install Plugin can be configured to create integrity checksums (MD5, SHA-1) and you can configure a checksum policy per repository (see checksumPolicy).

    Maven repository managers can/should also be able to deal with them. See for example:

    • 0