Maybe a dummy question: I have some Maven Artifacts on my maven.pkg.github.com repository and I would like to expose them, just for reading, without configuring the server credentials on settings.xml file?
just answering my own question: until today, July 11th, 2020, there is no option for using GitHub Packages without authorization. So in other words, it's not possible to use anonymous access with GitHub Packages. You can follow the discussion in the GitHub forum: https://github.community/t/download-from-github-package-registry-without-authentication/14407/10
Possible correlated: How to access maven dependecy from GitHub Package Registry (Beta)
Related
I'm trying to understand how to work with a remote repository in Artifactory for a Go project. My initial expectation was that it'll work transparently, all I would need to do is to point GORPOXY variable to a virtual repository (with local and remote behind it), do go build and dependencies will either be downloaded from the Artifactory cache or Artifactory would download them transparently. Similar to the way it works for maven dependencies.
When I tried that, it complained that the dependencies weren't found in artifactory. Ok.
Reading the documentation two things stand out. First, there's nothing there about GOPROXY and everything is about using artifactory cli. That's a big downside for several reasons.
Second, is that you need to publish dependencies manually with jfrog rt go-publish go --self=false --deps=ALL and then dependencies appear under a local repository.
So I'm trying to figure out if 1) I can avoid using JFrog CLI and 2) what's the point of remote repositories if they don't proxy? Or maybe I'm missing something?
Artifactory 6.3.0
I understand your confusion on the blog post you mentioned, though I have a feeling the intent of the writer was to more show how the JFrog CLI can be used.
To answer your questions:
1) Yes, you don't have to use the JFrog CLI to build. Please check out the documentation on how to set up a remote repository for Go. This will guide you through setting up GitHub or GoCenter as a remote repository for your Go builds. This will allow you to set the GOPROXY environment variable following this structure <protocol>://<username>:<password>#<artifactory domain>/api/go/<go repository>.
2) Remote repositories will absolutely act as a proxy, caching the contents you download from the remote repository (copying a part from the user guide: A remote Go repository in Artifactory serves as a caching proxy for a public Go registry such as GoCenter or GitHub.)
I would like to have a corporate deployment mechanism for making releases from Bamboo --> Artifactory --> Bintray, with approvals at each step. But, I still want the final Bintray instance to exist within our corporate domain, and off the web.
From Jfrog's website, it seems that there is not a site-hosted version available. Can anyone confirm that?
Yes, Bintray is not available as an on premise installation - yet... :)
(PS. I'm with JFrog)
I installed nexus-2.8.0-05-bundle.tar.gz and now I am trying to migrate old (single) repo from Artifactory.
How can I achieve this (Debian7)?
I read about migration plugin but I cannot seem to find the right one... I unzipped nexus-migration-plugin-packaging-1.5-webapp.zip into the nexus installation folder but it doesn't seem to work..or at least I cannot find any related actions from the web admin console localhost:8081/nexus.
Cheers,
newbie
In order to migrate to Nexus you would use the export tool of Artifactory to get the repositories as plain files and folders structure.
Then you create a repo in Nexus and simply copy that storage into place.
Further details are available in the Nexus book migration chapter.
You can also ping us via a support ticket or via the mailings lists or hipchat channel.
PS: The migration plugin is deprecated and should not be used.
I have a Maven plugin that I want to share with outside world. Is there an official Maven repository I can deploy this plugin too ? What are the steps involved ?
Any links to documentation much appreciated
I've been reading http://www.sonatype.com/people/2008/11/adding-a-jar-to-a-maven-repository-with-sonatype-nexus/ but this just seems to describe deploying to internal Nexus repository, wheras I want to deploy to an external repo so any user can use it.
I would recommend:
Setting up an account in Github in order to have a place to host your source code.
Setting up an account in Cloudbee's BuildHive. This is a free Jenkins CI for Open Source projects. This will test your project on every push to Github.
Request rights to publish your project to Maven Central.
The bit with the request will take around up to a day normally and then you'll be able to publish your code directly to Maven Central.
I was trying to find if there is SSL enabled central repository but there probably isn't. I noticed that there are signatures for every jar and pom file in maven central repository. So at least I'd like to check signatures of all maven downloaded files (pom/jar).
The example from http://repo1.maven.org/maven2/org/apache/ant/ant/1.8.2/:
ant-1.8.2.jar
ant-1.8.2.jar.asc
ant-1.8.2.jar.asc.md5
ant-1.8.2.jar.asc.sha1
ant-1.8.2.jar.md5
ant-1.8.2.jar.sha1
ant-1.8.2.pom
ant-1.8.2.pom.asc
ant-1.8.2.pom.asc.md5
ant-1.8.2.pom.asc.sha1
ant-1.8.2.pom.md5
ant-1.8.2.pom.sha1
I realize that I'll have to import public keys for every repository and I'm fine with that. I guess that public keys for maven central are here https://svn.apache.org/repos/asf/maven/project/KEYS.
There are PLENTY of tutorials on web on how to sign with maven. However I didn't find any information on how to force maven (2 or 3) to verify signatures of downloaded jar/pom files. Is it possible?
(Nexus Professional is not an option)
Thank you for help.
Now, that people seem to realize this is a real security problem (as described in this blog-post (the blog seems down, here is an archived version of the blog)), there is a plugin for verifying PGP signatures. You can verify the signatures for all dependencies of your project with the following command:
mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
Of course, to be 100% sure the plugin is not malicious by itself, you would have to download and verify the source for the plugin from maven central, build it with maven, and execute it. (And this should also be done with all the dependencies and plugins that are needed for the build, recursively.)
Or you use Maven 3.2.3 or above (with a clean repository), which uses TLS for downloading all artefacts. Thus man-in-the-middle attacks are impossible and you get at least the artefacts as they are on maven central.
See also:
related Question and Answer
Sonatype's Blog to this topic
Could you write a bash shell script using GnuPG to verify each sig?
Something like:
for x in *.jar; do gpg --verify "${x}".asc; done
Obviously you would need the public keys for all the sigs before you started.
SSL access to Central is now available for a token payment. From https://blog.sonatype.com/people/2012/10/now-available-ssl-connectivity-to-central/ :
We’re making SSL connectivity to Central available to anyone that downloads open source components regardless of the repository manager.
...
In order to ensure the highest level of performance for those who count on SSL, we are securing the service with a token. You can get a token for your organization simply by providing a $10 donation that will be donated to open source causes.
Assuming you only want to download artifacts w/ valid checksums, one option would be to run the OSS version of Nexus and configure it to have a proxy of central. Then configure your settings.xml to only load from your repo (mirror tag in settings.xml). You can then configure nexus to only allow artifacts that have a valid checksum.