spring-data-commons icon indicating copy to clipboard operation
spring-data-commons copied to clipboard
verified publisher icon spring-projects

PGP signature invalid

Open ilatypov opened this issue 1 year ago • 2 comments 

$ mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
[...]
[ERROR] org.springframework.data:spring-data-jpa:pom:2.7.1 PGP Signature INVALID
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <[email protected]>]
[...]
[ERROR] org.springframework.data:spring-data-commons:pom:2.7.1 PGP Signature INVALID
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <[email protected]>]

in https://github.com/WebGoat/WebGoat/commit/8db9ff3

ilatypov avatar Oct 22 '24 16:10 ilatypov

If you would like us to spend some time helping you to diagnose the problem, please spend some time describing it and, ideally, providing what you expect.

mp911de avatar Oct 23 '24 06:10 mp911de

Perhaps, an unexpected "sub" key was used automatically when signing.

If you've already distributed your public key, it's better to revoke the sub signing key instead of deleting it, although either way you can make your primary key as the signing key. To revoke a sub key, use the revkey command instead of delkey.

https://central.sonatype.org/publish/requirements/gpg/#delete-a-sub-key

On the other hand, this was a recommendation to a scenario where the developer is still playing with their signatures before publishing the artifact. Since the artifact and its signature are already published, I wonder if it makes sense to somehow make the public part of that other signing key (the "sub" key, perhaps) registered with the PGP servers?

Now I realize that my own idea is futile because the keyId indicated in the JAR uniquely identifies the signing key. The last chance at finding a cause and a remediation is to assume that the keyId's signing key's public part was not published at all. Then it needs publishing. I don't know how the artifact got past Sonatype's upload gating a year ago.

https://central.sonatype.com/artifact/org.springframework.data/spring-data-commons/2.7.1

ilatypov avatar Oct 23 '24 17:10 ilatypov

Not quite sure I agree. The key has been published to the keyserver quite a while ago. Running the same command yields for me:

[INFO] Receive key: https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1
	to /Users/mpaluch/.m2/repository/pgpkeys-cache/EF/6A/EF6AD6684034B0CB67A9B5714406B84C1661DCD1.asc
[INFO] org.springframework.data:spring-data-commons:jar:2.7.1 PGP Signature OK
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <[email protected]>]

with a pristine Spring Boot 2.7.1 Maven project and without a configuration of the verifier plugin.

Checking the POM yields the same successful verification.

In any case, artifacts on Maven Central are immutable and the key has been published which renders the ticket non-actionable.

mp911de avatar Oct 24 '24 09:10 mp911de

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

spring-projects-issues avatar Oct 31 '24 09:10 spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

spring-projects-issues avatar Nov 07 '24 09:11 spring-projects-issues