Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add plexus-xml as explicit dependency required by plexus-sec-dispatcher #40

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add plexus-xml as explicit dependency required by plexus-sec-dispatcher #40

wants to merge 1 commit into from

Conversation

HannesWell
Copy link

Since version 4 the xml tools of plexus-utils have been moved into plexus-xml, but plexus-utils only has an optional dependency on it. Since org.sonatype.plexus:plexus-sec-dispatcher is compiled against plexus-utils version 1.5 it expects the xml classes to be available and fails with an
java.lang.NoClassDefFoundError: org/codehaus/plexus/util/xml/XmlStreamReader
in org.sonatype.plexus.components.sec.dispatcher.SecUtil.read(), when creating an instance of SecurityConfigurationXpp3Reader.

The full stack-trace is

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-jarsigner-plugin:3.1.0:sign (sign-jars) on project foo:bar Error processing archives java.lang.NoClassDefFoundError: org/codehaus/plexus/util/xml/XmlStreamReader: org.codehaus.plexus.util.xml.XmlStreamReader -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-jarsigner-plugin:3.1.0:sign (sign-jars) on project foo:bar: Error processing archives
	at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:333)
	at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:316)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:174)
	at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:75)
	at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:162)
	at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:159)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:105)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:53)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:118)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:261)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:173)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:101)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:906)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:283)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:206)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:255)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:201)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:361)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:314)
Caused by: org.apache.maven.plugin.MojoExecutionException: Error processing archives
	at org.apache.maven.plugins.jarsigner.JarsignerSignMojo.processArchives(JarsignerSignMojo.java:330)
	at org.apache.maven.plugins.jarsigner.AbstractJarsignerMojo.execute(AbstractJarsignerMojo.java:284)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:126)
	at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:328)
	... 25 more
Caused by: java.util.concurrent.ExecutionException: java.lang.NoClassDefFoundError: org/codehaus/plexus/util/xml/XmlStreamReader
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at org.apache.maven.plugins.jarsigner.JarsignerSignMojo.processArchives(JarsignerSignMojo.java:321)
	... 28 more
Caused by: java.lang.NoClassDefFoundError: org/codehaus/plexus/util/xml/XmlStreamReader
	at org.sonatype.plexus.components.sec.dispatcher.SecUtil.read(SecUtil.java:58)
	at org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher.getSec(DefaultSecDispatcher.java:206)
	at org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher.decrypt(DefaultSecDispatcher.java:90)
	at org.apache.maven.plugins.jarsigner.AbstractJarsignerMojo.decrypt(AbstractJarsignerMojo.java:561)
	at org.apache.maven.plugins.jarsigner.JarsignerSignMojo.createRequest(JarsignerSignMojo.java:295)
	at org.apache.maven.plugins.jarsigner.AbstractJarsignerMojo.processArchive(AbstractJarsignerMojo.java:472)
	at org.apache.maven.plugins.jarsigner.JarsignerSignMojo.lambda$processArchives$0(JarsignerSignMojo.java:315)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.ClassNotFoundException: org.codehaus.plexus.util.xml.XmlStreamReader
	at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass(SelfFirstStrategy.java:42)
	at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass(ClassRealm.java:225)
	at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:210)
	at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:205)
	... 11 more

@iils-hwellmann
Add plexus-xml as explicit dependency required by plexus-sec-dispatcher
52e7ae8 
Since version 4 the xml tools of plexus-utils have been moved into
plexus-xml, but plexus-utils only has an optional dependency on it.
Since org.sonatype.plexus:plexus-sec-dispatcher is compiled against
plexus-utils version 1.5 it expects the xml classes to be available and
fails with an
'java.lang.NoClassDefFoundError:
org/codehaus/plexus/util/xml/XmlStreamReader'

in org.sonatype.plexus.components.sec.dispatcher.SecUtil.read(), when
creating an instance of 'SecurityConfigurationXpp3Reader'.
@HannesWell
Copy link
Author

HannesWell commented Dec 5, 2024
edited
Loading

Of course ideally plexus-sec-dispatcher would be adapted to not require plexus-xml anymore or at least require it explicitly, but since the latest release happened 15years ago, I assume nothing will change there.

And since I have not found any other report about this error I wonder if I do something wrong in the configuration of my jarsigner execution? But as far as I can tell, my configuration looks quite default.

@HannesWell HannesWell mentioned this pull request Dec 5, 2024
Merged
@slawekjaranowski
Copy link
Member

It is interesting that no integration tests fail of it ....

@HannesWell
Copy link
Author

It is interesting that no integration tests fail of it ....

Yes, absolutely. That's why I was wondering if I use a special configuration or alike. For me signing failed completely and immediately.

@slawekjaranowski
Copy link
Member

Can you try reproduce it and add a test?

@HannesWell
Copy link
Author

Can you try reproduce it and add a test?

I'm currently working on a reproducer. The problems are, and I think that's the reason why tests didn't discover it, only dummy SecDispatcher implementations are used and not a real DefaultSecDispatcher. Plus it looks like in tests the optional dependency of plexus-utils to plexus-xml is added, while it isn't at runtime.

@slachiewicz
Copy link
Member

@cstamas fyi

@slawekjaranowski
Copy link
Member

@HannesWell which Maven version do you use?

@cstamas
Copy link
Member

cstamas commented Dec 8, 2024

Otp, but need to look at this...

@HannesWell HannesWell mentioned this pull request Dec 9, 2024
Open
@HannesWell
Copy link
Author

Can you try reproduce it and add a test?

Just created #41, but it currently does not fail as desired.

@HannesWell which Maven version do you use?

3.9.9

In general I have the impression it would be better to migrate off org.sonatype.plexus:plexus-sec-dispatcher. It's quite old and I regularly get errors like the following, always using the same encrypted key.

 Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
     at com.sun.crypto.provider.CipherCore.unpad (CipherCore.java:862)
     at com.sun.crypto.provider.CipherCore.fillOutputBuffer (CipherCore.java:942)
     at com.sun.crypto.provider.CipherCore.doFinal (CipherCore.java:735)
     at com.sun.crypto.provider.AESCipher.engineDoFinal (AESCipher.java:436)
     at javax.crypto.Cipher.doFinal (Cipher.java:2205)
     at org.sonatype.plexus.components.cipher.PBECipher.decrypt64 (PBECipher.java:185)
     at org.sonatype.plexus.components.cipher.DefaultPlexusCipher.decrypt (DefaultPlexusCipher.java:72)
     at org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher.decrypt (DefaultSecDispatcher.java:96)
     at org.apache.maven.plugins.jarsigner.AbstractJarsignerMojo.decrypt (AbstractJarsignerMojo.java:561)

I first looked at org.codehaus.plexus:plexus-sec-dispatcher, which looked like the natural successor to me, but found out that it's explicitly blocked by some enforcer-rules. And I assume that's for a good reason.
Furthermore https://issues.apache.org/jira/browse/MNG-4384 mentioned SettingsDecrypter, but I failed to apply it here and therefore assume it would require also work in that interface. And given that it's deprecated for Maven-4, I assume it isn't the best solution anyways nowadays:
https://github.com/apache/maven/blob/1b5b5c8f9e7433762e8dce53c2e17d75b6a06b06/compat/maven-settings-builder/src/main/java/org/apache/maven/settings/crypto/SettingsDecrypter.java#L26-L27

If you can tell me a good way forward I would be interested to make the jarsigner plugin more robust and up-to-date.
Or is using Maven's password encryption mechanism for signature file password not recommended?
https://maven.apache.org/guides/mini/guide-encryption.html
Because this seems to be to root of all my problems.

@HannesWell
Copy link
Author

HannesWell commented Jan 2, 2025
edited
Loading

In general I have the impression it would be better to migrate off org.sonatype.plexus:plexus-sec-dispatcher. It's quite old and I regularly get errors like the following, always using the same encrypted key.

Would a proper way to get rid of it be the same as done in apache/maven-gpg-plugin#115 ?

@slawekjaranowski
Copy link
Member

In general I have the impression it would be better to migrate off org.sonatype.plexus:plexus-sec-dispatcher. It's quite old and I regularly get errors like the following, always using the same encrypted key.

Would a proper way to get rid of it the same as done in apache/maven-gpg-plugin#115 ?

it is good way

@slachiewicz
Copy link
Member

Maybe we could also add this to banned dependencies like with plexus container?

@cstamas
Copy link
Member

cstamas commented Jan 25, 2025

Would a proper way to get rid of it be the same as done in apache/maven-gpg-plugin#115 ?

yup yup yup

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slawekjaranowski slawekjaranowski slawekjaranowski approved these changes

@slachiewicz slachiewicz slachiewicz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@HannesWell @slawekjaranowski @slachiewicz @cstamas @iils-hwellmann