Verify from local keys / offline mode

[bmarwell]

Is your feature request related to a problem? Please describe.

Not a problem, except network connections and proxies. :)
When all keys are already present (e.g. .asc files or imported into the local keyring), there is no need to download keys.
BUT I cannot specify the keyring file as of now.

Describe the solution you'd like

-Dverify.offline=true -Dverify.gpghomedir=$PWD or similar.

Describe alternatives you've considered

• disabling the plugin
• proxy configuration

Additional context

n/a

[slawekjaranowski]

simply try

mvn -o ...

[bmarwell]

Hey Slawomir!

That wouldn't work for my scenario. Sorry for not providing a better command. See what I am doing at the moment:

Consider the ojdbc8-production.pom (which is essentially a bom file).

GNUPGHOME="${WORKSPACE}/tmp/gnupg" \
"${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --no-transfer-progress \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:copy-dependencies \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

I now replaced it with a two step setup:

"${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --no-transfer-progress \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:go-offline \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

  "${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --offline \
    org.simplify4u.plugins:pgpverify-maven-plugin:check \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:copy-dependencies \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

Now it would fail because the pgpverirfy-plugin is not available.
This is why I asked for an offline mode explicitly for this plugin.

Of course, there is a workaround. Add a third step in the middle:

"${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --no-transfer-progress \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:go-offline \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

  # dependency:get the plugin
  "${WORKSPACE:?}/mvnw" \
      --batch-mode \
      --errors \
      --no-transfer-progress \
      org.apache.maven.plugins:maven-dependency-plugin:3.3.0:get \
      "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
      "-Dartifact=org.simplify4u.plugins:pgpverify-maven-plugin:1.16.0" \
      -f "${driver_version_dir}/${artifactname}-${version}.pom"

  "${WORKSPACE:?}/mvnw" \
    --batch-mode \
    --errors \
    --offline \
    org.simplify4u.plugins:pgpverify-maven-plugin:check \
    org.apache.maven.plugins:maven-dependency-plugin:3.3.0:copy-dependencies \
    "-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
    "-DoutputDirectory=${driver_version_dir}" \
    "-Dmdep.stripVersion=true" \
    -f "${driver_version_dir}/${artifactname}-${version}.pom"

If that really is the intended solution, this three-step setup should be documented. That's not something an average maven user can do, I'd say.

// Edit: that doesn't even work as intended:

[INFO] Resolved 20 signature(s) in PT0.007559881S
[WARNING] No signature for com.oracle.database.jdbc:ojdbc8:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.nls:orai18n:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:ons:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xmlparserv2:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.jdbc:ucp:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:simplefan:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.security:oraclepki:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_cert:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_core:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:simplefan:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.jdbc:ucp:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:ons:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.security:oraclepki:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_core:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xdb:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_cert:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.nls:orai18n:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xdb:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xmlparserv2:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.jdbc:ojdbc8:pom:19.7.0.0
[INFO] Finished 20 artifact(s) validation in PT0.01117527S

I think the plugin does not pick up GNUPGHOME.

[bmarwell]

So, adding * = any of course helps. But I have to pre-fill the cache directory now as well.

It seems undocumented, but here is the layout:

.m2/repository/pgpkeys-cache/<0..*2h>/<2..*4h>/${shorthex^^}.asc.
My current keys are exported using 0xlong.asc.
So prefilling that directory requires additional scripting.

This will make a nice blog post, but is quite a way to set up. Maybe you could reconsider my request to use a gpg keyring? :)

[slawekjaranowski]

There is goal: org.simplify4u.plugins:pgpverify-maven-plugin:go-offline - should be used together with dependency-plugin:go-offline

[slawekjaranowski]

I think the plugin does not pick up GNUPGHOME.

Right - plugin use bcpg library not gpg executable

It seems undocumented, but here is the layout:

.m2/repository/pgpkeys-cache/<0..*2h>/<2..*4h>/${shorthex^^}.asc.

It is depends on information in artifacts signatures, sometime we have only long key and in other case we have full key - fingerprint
So path can have long key or fingerprint.

[bmarwell]

OK, so again.

1. I put all the keys into the pgpkeys-cache folder as suggested
2. I run go-offline (which obviously doesn't work with --offline)

While running go-offline, the following thing happens (all of them are problems to me)

1. one key does not get picked up. But even with debugging -X, the plugin doesnt show which keys it tries to resolve at which location :(
2. It then tries to contact remote servers. I cannot disable this, because -o obviously wont work and supplying an emty list of keyservers will lead to the plugin throwing an exception.

So, why does it not find a specific key? I use the same algorithm to place all the keys.

[bmarwell]

OK, maybe in clear terms:

1. I want to go offline with the keys. Going offline with the maven deps is not a goal for me.
2. It should fail in go-offline if a key is neither found in the cache nor retrievable from the keyserver
3. the keyserver list cannot be set to zero
4. the keyserver timeout cannot be set.

[slawekjaranowski]

maybe it a little help you #546

[bmarwell]

maybe it a little help you #546

No, not at all too late! This is a super helpful feature whenever there will be new keys being used for e.g. DB driver jars