Skip to content

Perform signature validation on plugins' Maven artifacts #9611

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Perform signature validation on plugins' Maven artifacts#9611
Labels
BuildBuild Tasks/Gradle Plugin, groovy scripts, build tools, Javadoc enforcement.Build Libraries & InterfacesfeatureNew feature or request
@davidlago

Description

@davidlago
davidlago
opened on Aug 29, 2023

Plugins are downloaded from Maven’s Central Repository.

OpenSearch/distribution/tools/plugin-cli/src/main/java/org/opensearch/plugins/InstallPluginCommand.java

Lines 306 to 342 in bb7d23c

/** Downloads the plugin and returns the file it was downloaded to. */
private Path download(Terminal terminal, String pluginId, Path tmpDir, boolean isBatch) throws Exception {
if (OFFICIAL_PLUGINS.contains(pluginId)) {
final String url = getOpenSearchUrl(
terminal,
getStagingHash(),
Version.CURRENT,
isSnapshot(),
pluginId,
Platforms.PLATFORM_NAME
);
terminal.println("-> Downloading " + pluginId + " from opensearch");
return downloadAndValidate(terminal, url, tmpDir, true, isBatch);
}
// now try as maven coordinates, a valid URL would only have a colon and slash
String[] coordinates = pluginId.split(":");
if (coordinates.length == 3 && pluginId.contains("/") == false && pluginId.startsWith("file:") == false) {
String mavenUrl = getMavenUrl(terminal, coordinates, Platforms.PLATFORM_NAME);
terminal.println("-> Downloading " + pluginId + " from maven central");
return downloadAndValidate(terminal, mavenUrl, tmpDir, false, isBatch);
}
// fall back to plain old URL
if (pluginId.contains(":") == false) {
// definitely not a valid url, so assume it is a plugin name
List<String> plugins = checkMisspelledPlugin(pluginId);
String msg = "Unknown plugin " + pluginId;
if (plugins.isEmpty() == false) {
msg += ", did you mean " + (plugins.size() == 1 ? "[" + plugins.get(0) + "]" : "any of " + plugins.toString()) + "?";
}
throw new UserException(ExitCodes.USAGE, msg);
}
terminal.println("-> Downloading " + URLDecoder.decode(pluginId, "UTF-8"));
return downloadZip(terminal, pluginId, tmpDir, isBatch);
}

Only for official plugins is PGP verification performed. We should perform signature validation per Maven’s recommendation. Users should supply the expected PGP key (fingerprint) as obtained from a trusted source such as the developer’s official website, since Maven offers no mechanism for secure key distribution.

Metadata

Assignees

No one assigned

    Labels

    BuildBuild Tasks/Gradle Plugin, groovy scripts, build tools, Javadoc enforcement.Build Libraries & InterfacesfeatureNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions