Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fix a number of review comments

  1. … 15 more files in changeset.
Remove unused code and add tests for HTML report

    • -1
    • +1
    ./verifier/ChecksumVerificationFailure.java
  1. … 3 more files in changeset.
Introduce an HTML report for dependency verification

This commit introduces a dependency verification report.

This report is generated for each build which has at least

one dependency verification fatal failure. The goal is to

replace the full, plain text report with a more concise

text block, less intimidating, and redirect to the HTML

report for completeness.

Currently, this report is _always_ generated, and the

console report is left untouched. However, another commit

will replace the console report with a shorter version,

with the ability to configure to build to always use the

long console report version (in case for example it's not

simple to retrieve an HTML report from a CI build).

The HTML report explains what errors the user is facing

in context, and links to the documentation for further

details.

    • -1
    • +4
    ./verifier/SignatureVerificationFailure.java
  1. … 13 more files in changeset.
Introduce an HTML report for dependency verification

This commit introduces a dependency verification report.

This report is generated for each build which has at least

one dependency verification fatal failure. The goal is to

replace the full, plain text report with a more concise

text block, less intimidating, and redirect to the HTML

report for completeness.

Currently, this report is _always_ generated, and the

console report is left untouched. However, another commit

will replace the console report with a shorter version,

with the ability to configure to build to always use the

long console report version (in case for example it's not

simple to retrieve an HTML report from a CI build).

The HTML report explains what errors the user is facing

in context, and links to the documentation for further

details.

    • -1
    • +4
    ./verifier/SignatureVerificationFailure.java
  1. … 13 more files in changeset.
Introduce an HTML report for dependency verification

This commit introduces a dependency verification report.

This report is generated for each build which has at least

one dependency verification fatal failure. The goal is to

replace the full, plain text report with a more concise

text block, less intimidating, and redirect to the HTML

report for completeness.

Currently, this report is _always_ generated, and the

console report is left untouched. However, another commit

will replace the console report with a shorter version,

with the ability to configure to build to always use the

long console report version (in case for example it's not

simple to retrieve an HTML report from a CI build).

The HTML report explains what errors the user is facing

in context, and links to the documentation for further

details.

    • -1
    • +4
    ./verifier/SignatureVerificationFailure.java
  1. … 13 more files in changeset.
Fix duplicate entry found when building error

It was possible that the same key is checked multiple times

and reported multiple times as an error if a key is found

multiple times in a single keyring. This commit works around

the problem by collecting using a regular map then converting

to an immutable map.

Fixes #11999

  1. … 1 more file in changeset.
Fix duplicate entry found when building error

It was possible that the same key is checked multiple times

and reported multiple times as an error if a key is found

multiple times in a single keyring. This commit works around

the problem by collecting using a regular map then converting

to an immutable map.

Fixes #11999

  1. … 1 more file in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Initial steps towards a 2-stage dependency cache

This commit introduces the infrastructure required to get a 2-stage

dependency cache, consisting of a read-only, shareable cache and

a read-write local mutable cache.

The read-only cache would typically be mounted on Docker images.

Only infrastructure, no tests yet.

    • -1
    • +1
    ./signatures/CrossBuildCachingKeyService.java
    • -1
    • +1
    ./signatures/CrossBuildSignatureVerificationService.java
  1. … 81 more files in changeset.
Fix use of schema location

The code was using `xmlns` instead of `xsi`

    • -1
    • +1
    ./serializer/DependencyVerificationsXmlWriter.java
  1. … 5 more files in changeset.
Fix use of schema location

The code was using `xmlns` instead of `xsi`

    • -1
    • +1
    ./serializer/DependencyVerificationsXmlWriter.java
  1. … 5 more files in changeset.
Lambda-ification of the dependency management project

This makes the code base easier to read.

    • -3
    • +3
    ./verifier/DependencyVerifierBuilder.java
  1. … 65 more files in changeset.
Lambda-ification of the dependency management project

This makes the code base easier to read.

    • -3
    • +3
    ./verifier/DependencyVerifierBuilder.java
  1. … 65 more files in changeset.
Lambda-ification of the dependency management project

This makes the code base easier to read.

    • -3
    • +3
    ./verifier/DependencyVerifierBuilder.java
  1. … 65 more files in changeset.
Lambda-ification of the dependency management project

This makes the code base easier to read.

    • -3
    • +3
    ./verifier/DependencyVerifierBuilder.java
  1. … 65 more files in changeset.
Make dependency verification XSD more explicit

By using `dependency-verification` in the URL and file

name.

    • -1
    • +1
    ./serializer/DependencyVerificationsXmlWriter.java
  1. … 4 more files in changeset.
Make dependency verification XSD more explicit

By using `dependency-verification` in the URL and file

name.

    • -2
    • +2
    ./serializer/DependencyVerificationsXmlWriter.java
  1. … 4 more files in changeset.
Make dependency verification XSD more explicit

By using `dependency-verification` in the URL and file

name.

    • -2
    • +2
    ./serializer/DependencyVerificationsXmlWriter.java
  1. … 4 more files in changeset.
Add support for key fingerprints

In order to provide maximum security, it's now possible to use full key

fingerprints, in addition to long (64-bit) key ids, in trusted or ignored

keys.

It doesn't matter what format is used: if a trusted key uses a long id,

then it's possible that if there's a key collision, an artifact would be

trusted even if it shouldn't. If a fingerprint is used instead, then we

would use the full fingerprint for verification.

It's worth nothing that PGP doesn't provide the full fingerprint in signatures

for the key issuer. This means that when we're going to download keys, we

will still use the long ids.

Fixes #11770

    • -59
    • +179
    ./signatures/CrossBuildCachingKeyService.java
    • -43
    • +79
    ./signatures/CrossBuildSignatureVerificationService.java
    • -17
    • +38
    ./signatures/DefaultSignatureVerificationServiceFactory.java
    • -15
    • +22
    ./verifier/SignatureVerificationFailure.java
  1. … 15 more files in changeset.
Add support for key fingerprints

In order to provide maximum security, it's now possible to use full key

fingerprints, in addition to long (64-bit) key ids, in trusted or ignored

keys.

It doesn't matter what format is used: if a trusted key uses a long id,

then it's possible that if there's a key collision, an artifact would be

trusted even if it shouldn't. If a fingerprint is used instead, then we

would use the full fingerprint for verification.

It's worth nothing that PGP doesn't provide the full fingerprint in signatures

for the key issuer. This means that when we're going to download keys, we

will still use the long ids.

Fixes #11770

    • -59
    • +179
    ./signatures/CrossBuildCachingKeyService.java
    • -43
    • +79
    ./signatures/CrossBuildSignatureVerificationService.java
    • -17
    • +38
    ./signatures/DefaultSignatureVerificationServiceFactory.java
    • -15
    • +22
    ./verifier/SignatureVerificationFailure.java
  1. … 15 more files in changeset.
Verify checksums for artifacts which declare them even if signature passes

This is done because signatures are done on the hash of artifacts and

not on the artifact contents itself, so if you want to ensure both

integrity and provenance, you need to check both.

  1. … 1 more file in changeset.