Hello, i see two mixed topics in this discussion - verifying artifact transfer integrity and verifying that the downloaded artifact is really the one expected from the security perspective. The latter does not have anything to do with Maven Central or any other repository. Checksums in repositories (used by Wagon) can only be used for verifying transfer integrity. Verifying artifact via secure checksum that is obtained from a trusted source (e.g. local file like package-lock.json in NodeJS) and having some sort of lock file in the project is a different topic that is for example being addressed by checksum-maven-plugin. I think it would be awesome if Maven itself can support this use case... I would love to be sure that a specific JAR downloaded a year ago is exactly the same as JAR with the same coordinates downloaded today.
Pavel On Thu, 14 Oct 2021 at 10:47, Mickael Istria <mist...@redhat.com> wrote: > On Thu, Oct 14, 2021 at 10:36 AM Romain Manni-Bucau <rmannibu...@gmail.com > > > wrote: > > > I agree with Bernd, checksums are there to validate the consistency of > the > > artifact, nothing linked to security. > > > > Ensuring user gets a consistent artifact as desired -and not a malicious > forged one- is 1 aspect of security. > > On central the security side is provided by the asc file which is > > sufficient if you trust only allowed releasers keys in practise, > pretending > > you are a releaser will be quite hard so this is likely the best security > > you can setup as of today and no checksum algorithm can make it stronger > > (it is 1-1 in terms of security). > > > > That is as far as I understand another aspect of security, which is more > about authenticating provenance of the artifact when publishing it to the > repo and verifying the author. I can be used as an alternative to checksums > as well because the signature contains a form of hash, but -correct me if > I'm wrong- if the only goal is to verify consistency, then signatures are > overkill and will perform worse than checksum algorithms anyway. >
