Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PGP signature invalid #3184

Closed
ilatypov opened this issue Oct 22, 2024 · 5 comments
Closed

PGP signature invalid #3184

ilatypov opened this issue Oct 22, 2024 · 5 comments

Comments

@ilatypov
Copy link

ilatypov commented Oct 22, 2024
edited
Loading 

$ mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
[...]
[ERROR] org.springframework.data:spring-data-jpa:pom:2.7.1 PGP Signature INVALID
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <[email protected]>]
[...]
[ERROR] org.springframework.data:spring-data-commons:pom:2.7.1 PGP Signature INVALID
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <[email protected]>]

in WebGoat/WebGoat@8db9ff3
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Oct 22, 2024
@mp911de
Copy link
Member

mp911de commented Oct 23, 2024

If you would like us to spend some time helping you to diagnose the problem, please spend some time describing it and, ideally, providing what you expect.

@mp911de mp911de added the status: waiting-for-feedback We need additional information before we can continue label Oct 23, 2024
@ilatypov
Copy link
Author

ilatypov commented Oct 23, 2024
edited
Loading

Perhaps, an unexpected "sub" key was used automatically when signing.

If you've already distributed your public key, it's better to revoke the sub signing key instead of deleting it, although either way you can make your primary key as the signing key. To revoke a sub key, use the revkey command instead of delkey.

https://central.sonatype.org/publish/requirements/gpg/#delete-a-sub-key

On the other hand, this was a recommendation to a scenario where the developer is still playing with their signatures before publishing the artifact. Since the artifact and its signature are already published, I wonder if it makes sense to somehow make the public part of that other signing key (the "sub" key, perhaps) registered with the PGP servers?

Now I realize that my own idea is futile because the keyId indicated in the JAR uniquely identifies the signing key. The last chance at finding a cause and a remediation is to assume that the keyId's signing key's public part was not published at all. Then it needs publishing. I don't know how the artifact got past Sonatype's upload gating a year ago.

https://central.sonatype.com/artifact/org.springframework.data/spring-data-commons/2.7.1

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Oct 23, 2024
@mp911de
Copy link
Member

mp911de commented Oct 24, 2024

Not quite sure I agree. The key has been published to the keyserver quite a while ago. Running the same command yields for me:

[INFO] Receive key: https://keyserver.ubuntu.com/pks/lookup?op=get&options=mr&search=0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1
	to /Users/mpaluch/.m2/repository/pgpkeys-cache/EF/6A/EF6AD6684034B0CB67A9B5714406B84C1661DCD1.asc
[INFO] org.springframework.data:spring-data-commons:jar:2.7.1 PGP Signature OK
       KeyId: 0xEF6AD6684034B0CB67A9B5714406B84C1661DCD1 UserIds: [Mark Paluch <[email protected]>]

with a pristine Spring Boot 2.7.1 Maven project and without a configuration of the verifier plugin.

Checking the POM yields the same successful verification.

In any case, artifacts on Maven Central are immutable and the key has been published which renders the ticket non-actionable.

@mp911de mp911de added status: waiting-for-feedback We need additional information before we can continue and removed status: feedback-provided Feedback has been provided labels Oct 24, 2024
@spring-projects-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

@spring-projects-issues spring-projects-issues added the status: feedback-reminder We've sent a reminder that we need additional information before we can continue label Oct 31, 2024
@spring-projects-issues
Copy link

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.

@spring-projects-issues spring-projects-issues closed this as not planned Won't fix, can't repro, duplicate, stale Nov 7, 2024
@spring-projects-issues spring-projects-issues removed status: waiting-for-feedback We need additional information before we can continue status: feedback-reminder We've sent a reminder that we need additional information before we can continue status: waiting-for-triage An issue we've not yet triaged labels Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ilatypov @mp911de @spring-projects-issues