Open Nek-12 opened 5 months ago
The plugin portal only recently supported pgp signatures for plugins, so almost the entire ecosystem of plugins are unsigned. While it’s encouraging to enable signing now that it is supported, it is very misleading to pretend as if this is a security vulnerability that does not exist throughout your build regardless. The proper fix is to use repository constraints so that plugins are only searched in trusted sources. Assuming that you don’t screw up by trusting the wrong signature files won’t protect you.
https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/
Gradle task
did not find a pgp public key in a remote repository or the artifact is not signed.
A fix is to: