Better checks for signed artifacts in the security ratings

[artem-smotrakov]

Currently, SignsJarArtifacts data provider check whether or not a project use a plugin that signs artifacts. However, some projects don't use such plugins. For example, https://github.com/spring-projects/spring-security However, there are PGP signatures for its artifacts

https://repo1.maven.org/maven2/org/springframework/security/spring-security-core/5.5.0/

It may be better if the data provider checked if signatures exists instead of looking for plugins.

[sourabhsparkala]

@artem-smotrakov There are few things to consider

• To identify if an artifact is signed with PGP signatures, we need to get the .asc.
• If I am checking the whole GitHub project, I would have to parse through all the version folders in the maven repo and then check if a .asc file exists with the content for the GitHub project.

-----BEGIN PGP SIGNATURE-----
...
-----END PGP SIGNATURE-----

• If a .asc file does exist, do we have to make sure that all the jars in a artifact version https://repo1.maven.org/maven2/org/springframework/security/spring-security-core/5.5.0/ also has an associated .asc file?
• Please clarify if my understanding is correct.

[artem-smotrakov]

@sourabhsparkala

• If I am checking the whole GitHub project, I would have to parse through all the version folders

I think it is enough to check a few latest versions.

• If a .asc file does exist, do we have to make sure that all the jars in a artifact version https://repo1.maven.org/maven2/org/springframework/security/spring-security-core/5.5.0/ also has an associated .asc file?

If a signature doesn't exist, then the jar is not signed. It's better to check the docs anyway.

A few more things to consider here:

• A jar file can be signed by jarsigner, then the signature will be in the jar's manifest.
• It would be good to support other artifact types, not only jar files.