[Security] Maven Repositories: Add Trusted Checksum Verification#7269
Open
chrisrueger wants to merge 1 commit into
Open
[Security] Maven Repositories: Add Trusted Checksum Verification#7269chrisrueger wants to merge 1 commit into
chrisrueger wants to merge 1 commit into
Conversation
chrisrueger
force-pushed
the
7236-trusted-checksum-verification
branch
from
a7d9341 to
d434f24
Compare
chrisrueger
changed the title
chrisrueger
force-pushed
the
7236-trusted-checksum-verification
branch
3 times, most recently
from
370a206 to
5e48f7f
Compare
Contributor
Author
|
TODOS:
|
chrisrueger
force-pushed
the
7236-trusted-checksum-verification
branch
from
55abfcc to
3198339
Compare
There was a problem hiding this comment.
Pull request overview
This PR adds “trusted checksum” verification for Maven-backed repositories in bnd/bndtools, allowing locally-defined expected digests (via a .checksums sidecar file) to be enforced when artifacts are used. It integrates checksum enforcement into repository workflows, adds UI actions to generate checksum files, updates docs/configuration, and bumps package versions to reflect the new API surface.
Changes:
- Introduces
TrustedChecksums+DigestValidatorand wires trusted checksum enforcement intoMavenRepositoryaccess paths. - Adds
checksumFileconfiguration to Maven index and POM repository providers and surfaces the feature via UI actions/tooltips. - Adds documentation plus test resources/tests for checksum parsing and pass/fail scenarios.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/_plugins/maven.md | Documents checksumFile and trusted checksum verification behavior. |
| bndtools.core/_plugin.xml | Adds checksumFile properties to the Eclipse plugin configuration metadata. |
| biz.aQute.repository/testresources/mavenrepo/index.maven.failing.checksums | Adds failing checksum inputs for tests. |
| biz.aQute.repository/testresources/mavenrepo/index.maven.checksums | Adds passing checksum inputs for tests. |
| biz.aQute.repository/test/aQute/maven/provider/TrustedChecksumsTest.java | Adds unit tests for checksum line parsing. |
| biz.aQute.repository/test/aQute/bnd/repository/maven/provider/MavenBndRepoTest.java | Adds integration tests for trusted checksum pass/fail behavior. |
| biz.aQute.repository/src/aQute/maven/provider/TrustedChecksums.java | Implements trusted checksum file parsing, caching, validation, and generation. |
| biz.aQute.repository/src/aQute/maven/provider/packageinfo | Bumps package version for the Maven provider package. |
| biz.aQute.repository/src/aQute/maven/provider/MavenRepository.java | Enforces trusted checksum checks when returning/using local files and after fetch. |
| biz.aQute.repository/src/aQute/maven/provider/MavenBackingRepository.java | Refactors digest validation to the shared helper. |
| biz.aQute.repository/src/aQute/maven/provider/DigestValidator.java | New shared digest-comparison helper for checksum validation. |
| biz.aQute.repository/src/aQute/bnd/repository/maven/provider/RepoActions.java | Adds a UI action to create trusted checksums files. |
| biz.aQute.repository/src/aQute/bnd/repository/maven/provider/package-info.java | Bumps package version for MavenBndRepository provider package. |
| biz.aQute.repository/src/aQute/bnd/repository/maven/provider/MbrUpdater.java | Exposes “create trusted checksums file” through updater API. |
| biz.aQute.repository/src/aQute/bnd/repository/maven/provider/MavenBndRepository.java | Loads trusted checksum sidecar, wires it into storage, tooltip reporting, and adds generation hook. |
| biz.aQute.repository/src/aQute/bnd/repository/maven/provider/Configuration.java | Adds checksumFile() configuration property. |
| biz.aQute.repository/src/aQute/bnd/repository/maven/pom/provider/PomConfiguration.java | Adds checksumFile() configuration property for POM repositories. |
| biz.aQute.repository/src/aQute/bnd/repository/maven/pom/provider/package-info.java | Bumps package version for POM repository provider package. |
| biz.aQute.repository/src/aQute/bnd/repository/maven/pom/provider/BndPomRepository.java | Loads trusted checksums, wires into storage, tooltip, and adds “generate” action. |
chrisrueger
force-pushed
the
7236-trusted-checksum-verification
branch
2 times, most recently
from
1d26c0b to
463602d
Compare
Introduce trusted checksum support for Maven-backed repositories. - Add TrustedChecksums to read a sidecar .checksums file and map Archive -> checksum entries. - Add Configuration.checksumFile(...) to locate the checksum sidecar next to an index. - MavenBndRepository and BndPomRepository load and open the trusted checksum file - MavenRepository gains a trustedChecksums field, setTrustedChecksums(...), and checkTrustedChecksum(...) which computes MD5/SHA-1/SHA-256/SHA-512, deletes mismatched downloads and throws on mismatch (returns false if no trusted checksum applies). This change ensures downloaded artifacts can be validated against operator-provided checksums to protect against tampered or corrupted artifacts. Signed-off-by: Christoph Rueger <chrisrueger@gmail.com>
chrisrueger
force-pushed
the
7236-trusted-checksum-verification
branch
from
463602d to
1a688f1
Compare
chrisrueger
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #7236
This pull request introduces optional support for trusted checksum verification in the Maven repository providers (MavenBndRepository and BndPomRepository). The main goal is to ensure that downloaded artifacts can validated against a trusted checksum file, improving the integrity and security of repository operations. The changes include new configuration options, core logic for managing and verifying trusted checksums, and integration into repository workflows and UI actions.
Trusted Checksum Support and Verification:
TrustedChecksumsclass to manage trusted checksum files, load and cache checksums, verify artifact integrity, and generate trusted checksum files. This includes logic for reading, writing, and validating checksums for Maven artifacts.DigestValidatorhelper class to centralize digest comparison logic, replacing duplicate code and improving maintainability.MavenRepositoryandMavenBackingRepository, so that artifact retrieval and local file access now check against trusted checksums when available. [1] [2] [3] [4] [5] [6]Configuration and Initialization:
Configurationinterface to allow specifying a trusted checksum file path, and updated repository initialization to load and use the trusted checksum file. [1] [2] [3] [4]Reporting and Versioning:
Screenshots
When a Checksum does not match it looks like this:
The file basically does not exist anymore (the failing check deletes it), so the jar cannot be used / resolved etc.