Add plexus-xml as explicit dependency required by plexus-sec-dispatcher

[HannesWell]

Since version 4 the xml tools of plexus-utils have been moved into plexus-xml, but plexus-utils only has an optional dependency on it. Since org.sonatype.plexus:plexus-sec-dispatcher is compiled against plexus-utils version 1.5 it expects the xml classes to be available and fails with an
java.lang.NoClassDefFoundError: org/codehaus/plexus/util/xml/XmlStreamReader
in org.sonatype.plexus.components.sec.dispatcher.SecUtil.read(), when creating an instance of SecurityConfigurationXpp3Reader.

The full stack-trace is

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-jarsigner-plugin:3.1.0:sign (sign-jars) on project foo:bar Error processing archives java.lang.NoClassDefFoundError: org/codehaus/plexus/util/xml/XmlStreamReader: org.codehaus.plexus.util.xml.XmlStreamReader -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal org.apache.maven.plugins:maven-jarsigner-plugin:3.1.0:sign (sign-jars) on project foo:bar: Error processing archives
	at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:333)
	at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute(MojoExecutor.java:316)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:212)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:174)
	at org.apache.maven.lifecycle.internal.MojoExecutor.access$000(MojoExecutor.java:75)
	at org.apache.maven.lifecycle.internal.MojoExecutor$1.run(MojoExecutor.java:162)
	at org.apache.maven.plugin.DefaultMojosExecutionStrategy.execute(DefaultMojosExecutionStrategy.java:39)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:159)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:105)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:73)
	at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build(SingleThreadedBuilder.java:53)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:118)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:261)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:173)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:101)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:906)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:283)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:206)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:568)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:255)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:201)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:361)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:314)
Caused by: org.apache.maven.plugin.MojoExecutionException: Error processing archives
	at org.apache.maven.plugins.jarsigner.JarsignerSignMojo.processArchives(JarsignerSignMojo.java:330)
	at org.apache.maven.plugins.jarsigner.AbstractJarsignerMojo.execute(AbstractJarsignerMojo.java:284)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:126)
	at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2(MojoExecutor.java:328)
	... 25 more
Caused by: java.util.concurrent.ExecutionException: java.lang.NoClassDefFoundError: org/codehaus/plexus/util/xml/XmlStreamReader
	at java.base/java.util.concurrent.FutureTask.report(FutureTask.java:122)
	at java.base/java.util.concurrent.FutureTask.get(FutureTask.java:191)
	at org.apache.maven.plugins.jarsigner.JarsignerSignMojo.processArchives(JarsignerSignMojo.java:321)
	... 28 more
Caused by: java.lang.NoClassDefFoundError: org/codehaus/plexus/util/xml/XmlStreamReader
	at org.sonatype.plexus.components.sec.dispatcher.SecUtil.read(SecUtil.java:58)
	at org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher.getSec(DefaultSecDispatcher.java:206)
	at org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher.decrypt(DefaultSecDispatcher.java:90)
	at org.apache.maven.plugins.jarsigner.AbstractJarsignerMojo.decrypt(AbstractJarsignerMojo.java:561)
	at org.apache.maven.plugins.jarsigner.JarsignerSignMojo.createRequest(JarsignerSignMojo.java:295)
	at org.apache.maven.plugins.jarsigner.AbstractJarsignerMojo.processArchive(AbstractJarsignerMojo.java:472)
	at org.apache.maven.plugins.jarsigner.JarsignerSignMojo.lambda$processArchives$0(JarsignerSignMojo.java:315)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
	at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.ClassNotFoundException: org.codehaus.plexus.util.xml.XmlStreamReader
	at org.codehaus.plexus.classworlds.strategy.SelfFirstStrategy.loadClass(SelfFirstStrategy.java:42)
	at org.codehaus.plexus.classworlds.realm.ClassRealm.unsynchronizedLoadClass(ClassRealm.java:225)
	at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:210)
	at org.codehaus.plexus.classworlds.realm.ClassRealm.loadClass(ClassRealm.java:205)
	... 11 more

[HannesWell]

Of course ideally plexus-sec-dispatcher would be adapted to not require plexus-xml anymore or at least require it explicitly, but since the latest release happened 15years ago, I assume nothing will change there.

And since I have not found any other report about this error I wonder if I do something wrong in the configuration of my jarsigner execution? But as far as I can tell, my configuration looks quite default.

[slawekjaranowski]

It is interesting that no integration tests fail of it ....

[HannesWell]

It is interesting that no integration tests fail of it ....

Yes, absolutely. That's why I was wondering if I use a special configuration or alike. For me signing failed completely and immediately.

[slawekjaranowski]

Can you try reproduce it and add a test?

[HannesWell]

Can you try reproduce it and add a test?

I'm currently working on a reproducer. The problems are, and I think that's the reason why tests didn't discover it, only dummy SecDispatcher implementations are used and not a real DefaultSecDispatcher. Plus it looks like in tests the optional dependency of plexus-utils to plexus-xml is added, while it isn't at runtime.

[slachiewicz]

@cstamas fyi

[slawekjaranowski]

@HannesWell which Maven version do you use?

[cstamas]

Otp, but need to look at this...

[HannesWell]

Can you try reproduce it and add a test?

Just created #41, but it currently does not fail as desired.

@HannesWell which Maven version do you use?

3.9.9

In general I have the impression it would be better to migrate off org.sonatype.plexus:plexus-sec-dispatcher. It's quite old and I regularly get errors like the following, always using the same encrypted key.

 Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
     at com.sun.crypto.provider.CipherCore.unpad (CipherCore.java:862)
     at com.sun.crypto.provider.CipherCore.fillOutputBuffer (CipherCore.java:942)
     at com.sun.crypto.provider.CipherCore.doFinal (CipherCore.java:735)
     at com.sun.crypto.provider.AESCipher.engineDoFinal (AESCipher.java:436)
     at javax.crypto.Cipher.doFinal (Cipher.java:2205)
     at org.sonatype.plexus.components.cipher.PBECipher.decrypt64 (PBECipher.java:185)
     at org.sonatype.plexus.components.cipher.DefaultPlexusCipher.decrypt (DefaultPlexusCipher.java:72)
     at org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher.decrypt (DefaultSecDispatcher.java:96)
     at org.apache.maven.plugins.jarsigner.AbstractJarsignerMojo.decrypt (AbstractJarsignerMojo.java:561)

I first looked at org.codehaus.plexus:plexus-sec-dispatcher, which looked like the natural successor to me, but found out that it's explicitly blocked by some enforcer-rules. And I assume that's for a good reason.
Furthermore https://issues.apache.org/jira/browse/MNG-4384 mentioned SettingsDecrypter, but I failed to apply it here and therefore assume it would require also work in that interface. And given that it's deprecated for Maven-4, I assume it isn't the best solution anyways nowadays:
https://github.com/apache/maven/blob/1b5b5c8f9e7433762e8dce53c2e17d75b6a06b06/compat/maven-settings-builder/src/main/java/org/apache/maven/settings/crypto/SettingsDecrypter.java#L26-L27

If you can tell me a good way forward I would be interested to make the jarsigner plugin more robust and up-to-date.
Or is using Maven's password encryption mechanism for signature file password not recommended?
https://maven.apache.org/guides/mini/guide-encryption.html
Because this seems to be to root of all my problems.

[HannesWell]

In general I have the impression it would be better to migrate off org.sonatype.plexus:plexus-sec-dispatcher. It's quite old and I regularly get errors like the following, always using the same encrypted key.

Would a proper way to get rid of it be the same as done in apache/maven-gpg-plugin#115 ?

[slawekjaranowski]

In general I have the impression it would be better to migrate off org.sonatype.plexus:plexus-sec-dispatcher. It's quite old and I regularly get errors like the following, always using the same encrypted key.

Would a proper way to get rid of it the same as done in apache/maven-gpg-plugin#115 ?

it is good way

[slachiewicz]

Maybe we could also add this to banned dependencies like with plexus container?

[cstamas]

Would a proper way to get rid of it be the same as done in apache/maven-gpg-plugin#115 ?

yup yup yup

[Bukama]

The added dependency was done by @slachiewicz in #130. So I close this as it's no longer needed.
For the migration off org.sonatype.plexus:plexus-sec-dispatcher I have created an issue.