Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plugin fails to verify an artifact with revoked public key #557

Open
fabianfrz opened this issue Jun 3, 2024 · 1 comment
Open

Plugin fails to verify an artifact with revoked public key #557

fabianfrz opened this issue Jun 3, 2024 · 1 comment

Comments

@fabianfrz
Copy link
Contributor

Describe the bug
It seems like the plugin is failing when the key has been revoked on the key server.

Caused by: org.bouncycastle.openpgp.PGPException: org.bouncycastle.openpgp.PGPSignatureList found where PGPPublicKeyRing expected
    at org.bouncycastle.openpgp.PGPPublicKeyRingCollection.<init> (Unknown Source)
    at org.simplify4u.plugins.pgp.PublicKeyUtils.loadPublicKeyRing (PublicKeyUtils.java:144)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.loadKeyFromFile (PGPKeysCache.java:230)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.receiveKey (PGPKeysCache.java:275)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.lambda$null$2 (PGPKeysCache.java:181)
    at org.simplify4u.plugins.keyserver.PGPKeysCache$KeyServerListOne.execute (PGPKeysCache.java:372)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.lambda$getKeyRing$b1186df7$1 (PGPKeysCache.java:181)
    at io.vavr.control.Try.of (Try.java:75)
    at org.simplify4u.plugins.keyserver.PGPKeysCache.getKeyRing (PGPKeysCache.java:181)
    at org.simplify4u.plugins.pgp.SignatureUtils.lambda$checkSignature$91862a76$1 (SignatureUtils.java:304)
    at io.vavr.control.Try.of (Try.java:75)
    at org.simplify4u.plugins.pgp.SignatureUtils.checkSignature (SignatureUtils.java:304)
    at org.simplify4u.plugins.pgp.SignatureUtils.checkSignature (SignatureUtils.java:362)
    at org.simplify4u.plugins.CheckMojo.processArtifactSignature (CheckMojo.java:243)

To Reproduce

cd $CI_PROJECT_DIR/project/dir && mvn org.simplify4u.plugins:pgpverify-maven-plugin:1.17.0:check
        -Dpgpverify.keyserversLoadBalance=false
        -Dpgpverify.keyserver=https://keyserver.ubuntu.com
        -Dpgpverify.keysMapLocation=`pwd`/../../.mvn/keysmap.properties

Project needs to include this artifact:
https://mvnrepository.com/artifact/org.springframework.plugin/spring-plugin-core/2.0.0.RELEASE

Expected behavior
PGP Verify handles it as badSig or noSig as a revoked key means that the signature should not be trusted.

Additional context

Related: spring-projects/spring-plugin#102
@slawekjaranowski
Copy link
Member

Please try with the latest version 1.18.2 of plugin

Please also provide a simple project which can be used to reproduce.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slawekjaranowski @fabianfrz