SLCORE-2239 Add on-demand plugin signature verification

[Krosovok]

No description provided.

[sonar-review-alpha]

Summary

This PR implements PGP signature verification for on-demand plugins to ensure downloaded C-family and C# analyzers haven't been tampered with. It adds a new OnDemandPluginSignatureVerifier class using BouncyCastle's PGP library to validate that plugin JARs match their bundled .asc signatures using the SonarSource public key. Plugin signature files are downloaded during Maven build and embedded as resources. The implementation handles both compressed and uncompressed PGP formats and includes comprehensive error handling. One test file update accommodates SonarQube 2026.4's HTML output format change.

What reviewers should know

Start here: Review OnDemandPluginSignatureVerifier.java - the core logic is straightforward: load the SonarSource public key from resources, load the plugin's bundled signature file, verify the JAR content against it. Pay attention to extractSignatureList() which handles both compressed and uncompressed PGP signature formats.

Key decisions:

• Public key and plugin signatures are embedded as resources rather than fetched at runtime - ensures verification is self-contained
• Bundled signatures are downloaded during Maven build phase (see pom.xml build section with download-maven-plugin) and stored with predictable names like sonar-cpp-plugin.jar.asc
• The verifier returns false on any error (missing signature, tampered JAR, invalid format) rather than throwing exceptions - callers should decide how to handle verification failures
• Resource filtering on ondemand-plugins.properties allows Maven to inject version placeholders

Test coverage: The test class is well-designed with 8 scenarios covering the happy path, invalid signatures, missing/corrupt files, and edge cases like compressed signatures and unknown keys. Test resources include a real test JAR and various signature formats.

Minor change: The SonarQubeDeveloperEditionTests.java updates handle a SonarQube 2026.4 formatting change in HTML output (<li> vs <li> with space) - this is safe to include.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[hashicorp-vault-sonar-prod]

SLCORE-2239

[sonar-review-alpha]

Conclusion: Small but focused PR. The implementation logic is correct, but there's a systematic double-logging problem that will produce confusing noise in production diagnostics and needs to be fixed before merge.

🗣️ Give feedback

[Copilot]

Pull request overview

Adds a PGP-based signature verification utility intended to validate on-demand downloaded plugin JARs against a SonarSource public key, with accompanying test fixtures.

Changes:

• Introduce OnDemandPluginSignatureVerifier using BouncyCastle OpenPGP APIs to verify detached .asc signatures.
• Add SonarSource public key to main resources and a test-only key/signature + test JAR fixture for verification tests.
• Add JUnit tests covering valid signature, tampered JAR, and missing signature scenarios.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
backend/core/src/main/java/org/sonarsource/sonarlint/core/plugin/ondemand/OnDemandPluginSignatureVerifier.java	New verifier implementation for detached PGP signatures.
backend/core/src/main/resources/sonarsource-public.key	Adds the SonarSource public key used for verification in production.
backend/core/src/test/java/org/sonarsource/sonarlint/core/plugin/ondemand/OnDemandPluginSignatureVerifierTest.java	Adds unit tests for the verifier behavior.
backend/core/src/test/resources/sonarsource-public.key	Test-only public key used to validate the test signature.
backend/core/src/test/resources/sonar-cpp-plugin.jar.asc	Detached signature fixture used by tests.
backend/core/src/test/resources/sonar-cpp-plugin-test.jar	Test JAR fixture whose content matches the detached signature.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[sonar-review-alpha]

Conclusion: Solid, focused PR. The PGP verification logic is correct, the BouncyCastle provider is passed explicitly rather than registered globally (the right call), the compressed/uncompressed signature format handling is thorough, and the test setup using a separate test key pair is well-structured. No logic duplication, no missed bugs.

🗣️ Give feedback

[sonarqube-next]

Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
0 Dependency risks
82.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[sonar-review-alpha]

Conclusion: The implementation is well-structured and the test coverage is thorough, but there is one real issue that needs fixing before merge: the most security-relevant failure mode produces no log output.

🗣️ Give feedback

[sonar-review-alpha]

Every other failure path in this method logs at ERROR before returning false — missing signature, unknown key, parse exception — but the most security-sensitive case does not: when signature.verify() itself returns false the call site receives false with zero log output. An operator whose JAR has been tampered with would see nothing in the logs to indicate why verification failed.

Add an explicit error log before returning:

boolean valid = signature.verify();
if (!valid) {
  LOG.error("PGP signature verification failed for plugin '{}' — file may have been tampered", pluginKey);
}
return valid;

The pluginKey is available in the enclosing verifyPgpSignature parameter, so no extra plumbing is needed.

• Mark as noise

[nquinquenel]

I think you can use the latest version

[nquinquenel]

WDYT about moving these resource files in a sub folder?