-
Notifications
You must be signed in to change notification settings - Fork 127
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[MRESOLVER-516] Align GPG generator #448
Conversation
Align with latest changes. Also, trivial fix to align doco generator, now "java.lang." prefix is stripped off to align all the doco. --- https://issues.apache.org/jira/browse/MRESOLVER-516
maven-resolver-tools/src/main/java/org/eclipse/aether/tools/CollectConfiguration.java
Outdated
Show resolved
Hide resolved
public boolean isInteractive() { | ||
return false; | ||
} | ||
private static final long MAX_SIZE = 16 * 1024 + 1L; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My signing key is 12k... It does not give much room.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See https://wiki.gnupg.org/LargeKeys
In other words, use Ed25519 key, and leave RSA ones (that are 60 times slower as well) to oblivion. Btw, GnuPG 2.4.x (unsure here, maybe since 2.1, or 2.2 or 2.3?) by default generates Ed25519 keys (unless explicitly asked for RSA). The RSA keys are slowly being phased out.
+ "+to+use+it+for+signing+Maven+Artifacts\n"; | ||
os.write((instruction).getBytes()); | ||
os.flush(); | ||
return new String(Hex.decode(expectOK(in).trim())); | ||
String pw = mayExpectOK(in); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From a security perspective, I think it's better to keep char[]
or byte[]
rather than a String
when carrying passwords.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Especially, if we call getChars()
a few lines later...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So just return Hex.decode(pw.trim())
below...
} | ||
if (Files.isRegularFile(keyPath)) { | ||
if (Files.size(keyPath) < MAX_SIZE) { | ||
return Files.readAllBytes(keyPath); | ||
} else { | ||
logger.warn("Refusing to load key {}; is larger than 5KB", keyPath); | ||
logger.warn("Refusing to load file {}; is larger than 64KB", keyPath); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
64 KiB
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, that looks really non standard... Honestly, it's the first time I see this notation. To refer to something we don't care, I'd rather make the MAX_SIZE = 64000
just to keep 64 kB
} | ||
if (Files.isRegularFile(keyPath)) { | ||
if (Files.size(keyPath) < MAX_SIZE) { | ||
return Files.readAllBytes(keyPath); | ||
} else { | ||
logger.warn("Refusing to load key {}; is larger than 5KB", keyPath); | ||
logger.warn("Refusing to load file {}; is larger than 64KiB", keyPath); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The space missing as provided before
And 64kB was always 64kB (64 * 1024).
Anything else important around here? Would like to cut next alpha ASAP |
Align with latest changes. Also, trivial fix to align doco generator, now "java.lang." prefix is stripped off to align all the doco.
https://issues.apache.org/jira/browse/MRESOLVER-516