Verification of dependency authenticy in automated build systems

Question

Hi everyone,

I was just pointed to a very interesting article about a security problem called Cross Build Injection (XBI). Bascially it is a fancy name for smuggling bad code into an application at build time via automated build systems such as ant, maven or ivy.

The problem could be alleviated by introducing a cryptographic signature validation für dependencies as it is currently in place with many operating systems for downloading packages.

To be clear: I am not talking about simply providing md5 or sha1 hashes for the artifacts. That is already done, but those hashes are stored in the same location as the artifacts. So once a malicious hacker compromises the repository and can replace the artifact they can replace the hashes as well.

So what is acutally needed is some kind of PKI, that allows the developers to sign their artifacts and maven to verify these signatures. Since the signature is done using the private key of the developer it cannot be tampered with when only the repository is compromised.

Does anyone know the state of this in maven?

Answer 1

Yes I agree with Pascal. Using a repository manager is the best way to ensure that all 3rd party signatures are checked when they are initially downloaded.

I now install Nexus locally for all my builds. It both saves bandwidth and ensures my builds are more repeatable even when I'm off-line.

Answer 2

"The problem could be alleviated by introducing a cryptographic signature validation für dependencies as it is currently in place with many operating systems for downloading packages."

What you are looking for signing your jar files. http://download-llnw.oracle.com/javase/1.3/docs/tooldocs/win32/jarsigner.html

You need to protect your private key with appropriate measures. But if you are paranoid about such a composure you may need to look about PKI , Public Key Infrastructures.