- JFrog plugin to verify deploying artifacts signatures. It supports both JAR and RPM (PGP) verification.
- Project maintainer: Ladislav Vitásek (vitasek/@/avast.com)
- Requirements:
- Gradle 6.8+
- JDK 11
- JFrog 7+
It was tested with JFrog API version artifactory-api:7.12.5.
Plugin is used to verify deploying artifacts signature. If it fails, it returns HTTP status error with a detail message. It validates (if enabled) JAR like files (JAR, AAR) and RPM files. The verification can be applied (via configuration file) only for specific repository paths.
See more details about JAR signing and how to sign RPMs with GPG.
For JAR verification the plugin uses (to be more effective) modified JarSigner source code (launching a new JVM process is slow). Signature is valid if JAR is signed, and it's verified by key stored in PKCS12 keystore. The key is identified by alias. Make sure the keystore file is accessible for JFrog user (put it into eg. user home). Unsigned JAR is denied, and it's considered as an error.
RPM utility does verification for RPM files (rpm -Kv command). It has to be available on the target OS system.
The verification is run under JFrog system user.
Unsigned RPM is denied, and it's considered as an error.
Use Gradle command (Windows)
gradlew.bat buildor (Linux/Mac)
./gradlew buildFor the steps 1-3 you can use ./gradlew deploy task, which makes these steps 1-3 for you. Make sure you set correct artifactoryPath property in gradle.properties file first.
- Copy
jfrog-verisign.jar(located in/build/libs) into JFrog'svar/etc/artifactory/plugins/libdirectory - Copy
verisign.groovy(located in/src/main/groovy) into JFrog'svar/etc/artifactory/pluginsdirectory - Copy
verisign.yaml(located in/etc/verisign.yaml) into JFrog'svar/etc/artifactory/pluginsdirectory - Define keystore file (for the JAR verification) and public PGP keys (for RPM verification, eg. use command
sudo rpm --import re.rpm.gpg.public) on the JFrog's machines Make sure the keystore file is accessible for JFrog system user (put it into its eg. user home). - Update
verisign.yamlaccording to your needs - Update
logback.xmlconfiguration (located at JFrog's/var/etc/artifactory/logback.xml) with custom log levels<logger name="verisign"> <level value="debug"/> </logger> <logger name="com.server.avast.verisign" level="debug"> </logger>
- Restart JFrog
Curl command to execute a deployment of not_signed.jar should produce this error:
curl -u user:password -X PUT "http://localhost:8081/artifactory/maven-local/my/new/artifact/directory/not_signed.jar" -T not_signed.jar
{
"errors" : [ {
"status" : 400,
"message" : "org.artifactory.exception.CancelException: Failed to verify JAR artifact: maven-local/my/new/artifact/directory/not_signed.jar . Error(s): jar is unsigned.\n\nGo to https://xyz for more help.\n"
} ]
}Alternatively you can try to use JFrog's UI to deploy artifact.
See this example plugin configuration file.
It's recommended to link your verisign.yaml file with this schema, it can help you to fix typos and to give you more hints (via ctrl/cmd+space).
See this tutorial.
You can refresh this configuration file using API call.
To force reload verisign.yaml you can simply call this curl command
curl -X GET -v -u admin:password "http://localhost:8082/artifactory/api/plugins/execute/refreshVerisignConfig"
To get current ignore/enabled repo paths from verisign.yaml as JSON call:
curl -X GET -v -u admin:password "http://localhost:8082/artifactory/api/plugins/execute/verisignConfig"
⚠ Note: The used user for connection should be an
adminor the user should be part of theverisigngroup (must exist/be created in JFrog). These pre-defined settings can be changed in theverisign.groovyfile.