pgpverify verification does not work with proxies

Question

pgpverify verification does not work with proxies

Closed this issue 4 years ago · 4 comments

Summary

pgpverify-maven-plugin is unable to retrieve the Wren trusted keys list when the local machine is behind a proxy, even when Maven is configured to use the proxy.

Steps

checkout Wren:DS (or any Wren project that inherits from wrensec-parent) on a machine that's behind a proxy.
ensure Maven is configured to use the proxy (via ~/.m2/settings.xml).
run mvn clean install in the root of the checked-out project.

Expected

Project builds without issue.

Current

Build fails with a failure to resolve wrensecurity.org:

[DEBUG]   (f) project = MavenProject: org.forgerock.opendj:opendj-server-parent:3.0.0 @ wrends/pom.xml
[DEBUG]   (f) scope = test
[DEBUG]   (f) session = org.apache.maven.execution.MavenSession@704b2127
[DEBUG]   (f) verifyPomFiles = true
[DEBUG] -- end configuration --
[DEBUG] The resource 'http://wrensecurity.org/trustedkeys.properties' was not found with resourceLoader org.codehaus.plexus.resource.loader.JarResourceLoader.
[DEBUG] The resource 'http://wrensecurity.org/trustedkeys.properties' was not found with resourceLoader org.codehaus.plexus.resource.loader.FileResourceLoader.
[DEBUG] The resource 'http://wrensecurity.org/trustedkeys.properties' was not found with resourceLoader org.codehaus.plexus.resource.loader.ThreadContextClasspathResourceLoader.
[DEBUG] URLResourceLoader: Exception when looking for 'http://wrensecurity.org/trustedkeys.properties
java.net.UnknownHostException: wrensecurity.org
	at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
	at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
	at java.net.Socket.connect(Socket.java:589)
	at java.net.Socket.connect(Socket.java:538)
	at sun.net.NetworkClient.doConnect(NetworkClient.java:180)

Workarounds

a workaround is described in s4u/pgpverify-maven-plugin#1 that may work for us.
mvn -Dignore-artifact-sigs clean install works, but that completely skips PGP verification of artifacts (less secure).

Answer 1 · 2017-09-19T14:41:15.000Z

Issue filed with pgpverify: s4u/pgpverify-maven-plugin#24

we may be able to fix it in our fork of it.

Answer 2 · 2018-07-26T02:36:33.000Z

as of 2.2.0, this issue should now be resolved -- we're now putting the PGP whitelist in a Maven artifact that should be proxy-friendly.

Answer 3 · 2018-08-02T15:20:26.000Z

Per comment from @siepkes in WrenSecurity/wrends#24, this is still an issue for the GPG signature requests. Re-opening.

I believe we can provide a documented workaround for this issue. Ideally we'd pull the HTTP proxy from Maven, but I remember this not being straightforward.

Answer 4 · 2021-03-14T09:24:03.000Z

This should be fixed in upstream - https://www.simplify4u.org/pgpverify-maven-plugin/check-mojo.html#proxyName and we are already using the latest version of the plugin.