Please document your gpg keys

[yeikel]

We use Dependency Verification and currently there is no documentation stating which keys are safe

Could you please document this?

Here are some examples of other projects documenting what key they use to sign their artifacts.

https://github.com/qos-ch/slf4j/blob/master/SECURITY.md#verifying-contents
https://square.github.io/okhttp/security/security/#verifying-artifacts
https://downloads.apache.org/logging/KEYS

[sazzad16]

If your concern is dependency verification, you may consider checksum verification at this moment.

As for signature verification, we'll see what we can do.

[gkorland]

@yeikel you can find the keys in the maven repository see: https://repo1.maven.org/maven2/redis/clients/jedis/4.2.3/

[yeikel]

Thank you for your input @sazzad16 @gkorland

The idea behind documenting the secure keys in a central and secure location (such as in SECURITY.MD) is to have a source of truth other than Maven Central when it comes to validating a release.

There are two challenges when the key is not documented:

• If the key changes between versions, there is no clear way to verify if this change was intentional or not. This creates friction

• if Maven central is compromised, the entire repository would be as well. That would include both the checksum and the keys stored there. Using the checksum would only help existing users that know the previous checksums

Example attacks :

• An attacker could change and older version less likely to be monitored (ex : 2.7.3) and replace it with their own .asc file and checksum information. New users of that version would be vulnerable
• An attacker could publish a new version (say 4.2.4) with key 2

To summarize, Checksum verification verifies the integrity of artifacts while signature verification verifies the origin of the artifacts.

[yogurtearl]

Looks like the signing key changed with the 5.0.0 release, but there was no mention of this in the release notes.

Looks like 5.0.0 is signed with these keys:
https://keyserver.ubuntu.com/pks/lookup?search=6bf6c1905c9642d1181d157443543d884cc71c96&fingerprint=on&op=index

For security purposes, it would be great if you were able to publish details (in the project docs) about gpg public keys that are "valid" for use when verifying signing artifacts uploaded to maven central.

This allows for "out of band" verification of the expected signing key.

Some examples of other libs publishing their signing keys:

https://square.github.io/okhttp/security/security/#verifying-artifacts

https://github.com/eclipse/jetty.project/blob/jetty-10.0.x/KEYS.txt
https://downloads.apache.org/commons/KEYS
https://downloads.apache.org/logging/KEYS

[yogurtearl]

Looks like the key used to sign jedis 5.1.1 artifacts is different than 5.1.0 ?

5.1.0 was signed with:
https://keyserver.ubuntu.com/pks/lookup?search=6bf6c1905c9642d1181d157443543d884cc71c96&fingerprint=on&op=index

5.1.1 was signed with:
https://keyserver.ubuntu.com/pks/lookup?search=165E63A75659104C72B49129C2B44BE148BDCEC8&fingerprint=on&op=index

Was this change to the signing keys intentional?
if the signing key was documented here (in the README or in a KEYS.md) it would be clear if these was intentional or a mistake or something else.

[sazzad16]

@chayim cc

[github-actions]

This issue is marked stale. It will be closed in 30 days if it is not updated.

[yogurtearl]

not stale