search

gradle / plugin-portal-requests

Gradle Plugin Portal issues and requests.
https://plugins.gradle.org/
12 stars 8 forks source link

Enforce all plugin uploads to Gradle Plugin Portal require PGP signature #211

Open vlsi opened 5 years ago

vlsi commented 5 years ago

Expected Behavior

Published plugins should have cryptographic signatures, so they can be verified at the consumer side.

Note: this is related to https://github.com/gradle/gradle/issues/10443, however gradle/gradle#10443 is a Gradle part for verification of checksums/signatures, however Gradle Plugin Portal forbids publishing of PGP signatures.

So this issue is to enforce (or "strongly advice") plugin authors to publish PGP signatures along with regular plugin jars.

Current Behavior

Current plugins are published without clear signatures, so consumers cannot tell if the jar was produced by a trusted party or not.

Note: SHA signatures do not help with that. In other words, every time a plugin updates, it would require consumers to lookup a new SHA and bake that in a build script.

If published plugins had signatures, then build script could reference "a set of trusted PGP keys", so it won't require to update the SHA sums on each version update.

Context

I'm trying to implement a reproducible and trusted build (e.g. for https://github.com/apache/jmeter ).

The sad thing is Plugin Portal does not require plugin authors to publish signatures, so it really hard to check if a specific plugin jar is trusted or not.

For instance: https://plugins.gradle.org/m2/org/gradle/kotlin/plugins/1.2.9/ Is there a way to verify if plugins-1.2.9.jar corresponds to plugins-1.2.9-sources.jar? Who was the author of those artifacts?

vlsi commented 5 years ago

Oh. It looks like Plugin Portal forbids publishing PGP signatures. That is really sad.

I have tried to add sign artifact, and there's a dedicated error message:

Ignoring unknown artifact type with extension "asc" and classifier ""
You can only upload normal jars, sources jars, javadoc jars and groovydoc jars
to the plugin portal at this time.
Ignoring unknown artifact type with extension "asc" and classifier "sources"
You can only upload normal jars, sources jars, javadoc jars and groovydoc jars
to the plugin portal at this time.
Ignoring unknown artifact type with extension "asc" and classifier "javadoc"
You can only upload normal jars, sources jars, javadoc jars and groovydoc jars
to the plugin portal at this time.
vlsi commented 4 years ago

@melix , sorry for pinging you here, but this issue might be relevant in the context of PGP verification.

Just in case, it turns out if I publish the plugin to Maven Central it just works, and it even supports PGP verification, so it looks like Central is a bit better than GPP for now :-/

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. Given the limited bandwidth of the team, it will be automatically closed if no further activity occurs. If you're interested in how we try to keep the backlog in a healthy state, please read our blog post on how we refine our backlog. If you feel this is something you could contribute, please have a look at our Contributor Guide. Thank you for your contribution.

nturner commented 3 years ago

Wait, gradle plugins are still not signed?

stale[bot] commented 2 years ago

This issue has been automatically marked as stale because it has not had recent activity. Given the limited bandwidth of the team, it will be automatically closed if no further activity occurs. If you're interested in how we try to keep the backlog in a healthy state, please read our blog post on how we refine our backlog. If you feel this is something you could contribute, please have a look at our Contributor Guide. Thank you for your contribution.

vlsi commented 2 years ago

The issue is still relevant

vlsi commented 2 years ago

I just pushed a plugin to Gradle Plugin Portal, and it somehow accepted .asc signatures:

> Task :publishPlugins
Publishing plugin io.github.vlsi.karaf version 1.0.0
Thank you. Your new plugin io.github.vlsi.karaf has been submitted for approval by Gradle engineers. The request should be processed within the next few days, at which point you will be contacted via email.
Publishing artifact build/libs/gradle-karaf-plugin-1.0.0.jar
Publishing artifact build/libs/gradle-karaf-plugin-1.0.0.jar.asc
Publishing artifact build/libs/gradle-karaf-plugin-1.0.0-sources.jar.asc
Publishing artifact build/libs/gradle-karaf-plugin-1.0.0-groovydoc.jar.asc
Publishing artifact build/libs/gradle-karaf-plugin-1.0.0-javadoc.jar.asc
Publishing artifact build/libs/gradle-karaf-plugin-1.0.0-sources.jar
Publishing artifact build/libs/gradle-karaf-plugin-1.0.0-groovydoc.jar
Publishing artifact build/libs/gradle-karaf-plugin-1.0.0-javadoc.jar
Publishing artifact build/publish-generated-resources/pom.xml
Tapchicoma commented 2 years ago

FYI: version 1.0.0 of Gradle publish plugin now also supports signing:

  • Automate published artifact signing, if the signing plugin is applied
wiktor-k commented 6 months ago

I know this ticket is kind-of old but ever since its creation a bunch of new PGP libs have been created with vastly simpler API: https://github.com/pgpainless/pgpainless (not to mention that the author: @vanitasvitae is actually responsive and highly qualified in the OpenPGP space). PGPainless is also partly Kotlin!

I just wanted to update you all. I hope you don't mind the notification spam... :see_no_evil: