Skip to content

JFrog plugin to verify deploying artifacts signatures. It supports both JAR and RPM (PGP) verification

License

Notifications You must be signed in to change notification settings

avast/jfrog-verisign

Repository files navigation

jfrog-verisign – JAR & RPM signature verification

  • JFrog plugin to verify deploying artifacts signatures. It supports both JAR and RPM (PGP) verification.

Project info

  • Project maintainer: Ladislav Vitásek (vitasek/@/avast.com)
  • Requirements:
    • Gradle 6.8+
    • JDK 11
    • JFrog 7+

It was tested with JFrog API version artifactory-api:7.12.5.

Content

General information

Plugin is used to verify deploying artifacts signature. If it fails, it returns HTTP status error with a detail message. It validates (if enabled) JAR like files (JAR, AAR) and RPM files. The verification can be applied (via configuration file) only for specific repository paths.

See more details about JAR signing and how to sign RPMs with GPG.

How it works

JAR Verification

For JAR verification the plugin uses (to be more effective) modified JarSigner source code (launching a new JVM process is slow). Signature is valid if JAR is signed, and it's verified by key stored in PKCS12 keystore. The key is identified by alias. Make sure the keystore file is accessible for JFrog user (put it into eg. user home). Unsigned JAR is denied, and it's considered as an error.

RPM Verification

RPM utility does verification for RPM files (rpm -Kv command). It has to be available on the target OS system.
The verification is run under JFrog system user.

Unsigned RPM is denied, and it's considered as an error.

Usage

Build

Use Gradle command (Windows)

   gradlew.bat build

or (Linux/Mac)

   ./gradlew build

Deploy & Configuration

For the steps 1-3 you can use ./gradlew deploy task, which makes these steps 1-3 for you. Make sure you set correct artifactoryPath property in gradle.properties file first.

  1. Copy jfrog-verisign.jar (located in /build/libs) into JFrog's var/etc/artifactory/plugins/lib directory
  2. Copy verisign.groovy (located in /src/main/groovy) into JFrog's var/etc/artifactory/plugins directory
  3. Copy verisign.yaml (located in /etc/verisign.yaml) into JFrog's var/etc/artifactory/plugins directory
  4. Define keystore file (for the JAR verification) and public PGP keys (for RPM verification, eg. use command sudo rpm --import re.rpm.gpg.public) on the JFrog's machines Make sure the keystore file is accessible for JFrog system user (put it into its eg. user home).
  5. Update verisign.yaml according to your needs
  6. Update logback.xml configuration (located at JFrog's /var/etc/artifactory/logback.xml) with custom log levels
     <logger name="verisign">
         <level value="debug"/>
     </logger>
    
     <logger name="com.server.avast.verisign" level="debug">
     </logger>
  7. Restart JFrog

Checking plugin proper configuration

Curl command to execute a deployment of not_signed.jar should produce this error:

curl -u user:password -X PUT "http://localhost:8081/artifactory/maven-local/my/new/artifact/directory/not_signed.jar" -T not_signed.jar
{
  "errors" : [ {
    "status" : 400,
    "message" : "org.artifactory.exception.CancelException: Failed to verify JAR artifact: maven-local/my/new/artifact/directory/not_signed.jar . Error(s): jar is unsigned.\n\nGo to https://xyz for more help.\n"
  } ]
}

Alternatively you can try to use JFrog's UI to deploy artifact.

Verisign.yaml file

See this example plugin configuration file.
It's recommended to link your verisign.yaml file with this schema, it can help you to fix typos and to give you more hints (via ctrl/cmd+space). See this tutorial. You can refresh this configuration file using API call.

API Calls

Configuration file reload

To force reload verisign.yaml you can simply call this curl command

curl -X GET -v -u admin:password "http://localhost:8082/artifactory/api/plugins/execute/refreshVerisignConfig"

Get current configuration

To get current ignore/enabled repo paths from verisign.yaml as JSON call:

curl -X GET -v -u admin:password "http://localhost:8082/artifactory/api/plugins/execute/verisignConfig"

⚠ Note: The used user for connection should be an admin or the user should be part of the verisign group (must exist/be created in JFrog). These pre-defined settings can be changed in the verisign.groovy file.