Nexus Professional: Verification of PGP Signatures

Nexus Professional allows validation of PGP signed artifacts, and can block access based on the results of that check. PGP support helps you guard your builds against corrupted or intentionally tampered artifacts in an automatic and transparent way.

How Artifacts are Signed

Most artifacts being added to the Maven Central Repository are signed during the release process using the maven-gpg-plugin. The GPG plugin is an implementation of the PGP public-key cryptography algorithm. Artifacts are signed by calculating a hash of the artifact that is then encrypted with that user’s private key. This digitally signed hash is added to the repository alongside the original file as an .ASC file.

Developers normally publish their keys to a public key server such as pgp.mit.edu

Signed artifacts are validated by inspecting the .ASC file to determine the key ID used to sign the artifact. Public key is then retrieved from a configurable list of public keystores and the decrypted hash is then compared to the recalculated hash of the artifact. If they match, then you know the artifact hasn't been tampered with or corrupted.

Verifying PGP Signatures with Nexus Professional

Nexus performs signature checks on the fly via the Procurement support. Rules can be defined based on the group/artifact/version (with wildcards) allowing you to approve only artifacts with valid signatures and block those that are invalid. Nexus also allows you to configure how to handle missing signatures.

Future releases of Nexus will build upon the signature checking to provide the ability to scan entire repositories and report on the signature status, as well as manage the web of trust so that you can block artifacts signed by people you don’t yet trust.

Customer Testimonials

"We have adopted Nexus Professional to better manage not only our own repositories but also the depending repositories on the net. And with the support for Staging and Artifact procurement we have more controle over the artifacts produced and used by Marvelution projects. Another nice feature is the Maven Settings templates, it allows users to configure the repositories easier and quicker. Overall Nexus is the perfect platform to manage all your required repositories, being hosted or proxied, it is easy to use and allows for fast searching and uploading of artifacts."
Mark Rekveld, Marvelution

"We have adopted Maven for all our software development projects and have started using Nexus to better support our development processes. The support for promotion and procurement workflows in Nexus Professional now expands Nexus with a robust set of additional features which make it easier for us to maintain consistency between our development, testing and production environments."
Chris Maki, Principal Software Engineer, Overstock.com

"At Intuit, we recognize that as builds grow and the teams who create them change over time, swift, accurate repository management becomes critical. Nexus provides a comprehensive, easy-to-use open source solution that lets teams and developers track, search, organize and access build components."
Kaizer Sogiawala, Software Configuration Management Engineer, Intuit.