search

ben-manes / gradle-versions-plugin

Gradle plugin to discover dependency updates
Apache License 2.0
3.82k stars 199 forks source link

Sign plugin artifacts #833

Open Nek-12 opened 5 months ago

Nek-12 commented 5 months ago

https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/

Gradle task 

./gradlew --write-verification-metadata pgp,sha256 --export-keys

did not find a pgp public key in a remote repository or the artifact is not signed.

 <component group="com.github.ben-manes" name="gradle-versions-plugin" version="0.50.0">
         <artifact name="gradle-versions-plugin-0.50.0.jar">
            <sha256 value="cc5381f2601200ed2405d44ea9eaab821560904bfdc9f17f8f0035a7706a4fb3" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
         <artifact name="gradle-versions-plugin-0.50.0.module">
            <sha256 value="2dacaacd0172ac5d258f6adc93399d5b091bc2029db9a3d665c4d00e4e7f6bec" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
      </component>

A fix is to:

  1. Start signing all artifacts, if not signed yet
  2. Upload a public pgp key used for signing artifacts to multiple public pgp repositories: https://keys.openpgp.org | https://pgp.mit.edu | https://keyserver.ubuntu.com/
ben-manes commented 5 months ago

The plugin portal only recently supported pgp signatures for plugins, so almost the entire ecosystem of plugins are unsigned. While it’s encouraging to enable signing now that it is supported, it is very misleading to pretend as if this is a security vulnerability that does not exist throughout your build regardless. The proper fix is to use repository constraints so that plugins are only searched in trusted sources. Assuming that you don’t screw up by trusting the wrong signature files won’t protect you.