search

littlerobots / version-catalog-update-plugin

Gradle plugin for updating a project version catalog
Apache License 2.0
544 stars 22 forks source link

[Security] Plugin descriptor pom.xml is not signed on Gradle Plugin portal #141

Open Nek-12 opened 5 months ago

Nek-12 commented 5 months ago

https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/

Gradle task 

./gradlew --write-verification-metadata pgp,sha256 --export-keys

did not find a pgp public key in a remote repository or the artifact is not signed.

 <component group="nl.littlerobots.vcu" name="plugin" version="0.8.3">
         <artifact name="plugin-0.8.3.jar">
            <sha256 value="2690b387c075400f5f9f37b0dae064bcd6589c9d0ce5c0a4f217e72c11ec7fab" origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
         </artifact>
         <artifact name="plugin-0.8.3.module">
            <sha256 value="2e7348d2410398cf98bb5e47d938d5ce71b852950ce7bd22f8f64c627a85d36f" origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
         </artifact>
      </component>
      <component group="nl.littlerobots.version-catalog-update" name="nl.littlerobots.version-catalog-update.gradle.plugin" version="0.8.3">
         <artifact name="nl.littlerobots.version-catalog-update.gradle.plugin-0.8.3.pom">
            <sha256 value="5c3e08a859878658c9b944edc61b1fe6bd686f44c0ea32fe306e963c5ae42f1c" origin="Generated by Gradle" reason="Artifact is not signed">
               <also-trust value="92e803172f9f0b5ea3dc993102247b357c5d241f41f8823e24166f8ea652cf16"/>
            </sha256>
         </artifact>
      </component>>

A fix is to:

  1. Start signing all artifacts, if not signed yet
  2. Upload a public pgp key used for signing artifacts to multiple public pgp repositories: https://keys.openpgp.org | https://pgp.mit.edu | https://keyserver.ubuntu.com/
hvisser commented 5 months ago

As you mention, the artifacts are signed, except for the plugin descriptor pom.

I've checked both the Gradle Plugin Portal and Maven Central and the artifacts are signed with this key that is published on the ubuntu keyserver https://keyserver.ubuntu.com/pks/lookup?search=3FCFA3B530AFDCE3&fingerprint=on&op=index. This is a requirement for publishing on Maven Central.

It seems like Gradle is not using this key server, or at least not for every key. You can specify to use that keyserver too. I've also uploaded my key to the openpgp keyserver.

As for the plugin descriptor, I'll check if that can be fixed.

hvisser commented 5 months ago

This only affects the signing of the plugin marker pom on the Gradle Plugin Portal. If you need a signed pom for current versions, make sure you use the mavenCentral repository which has all artifacts signed correctly.

Nek-12 commented 5 months ago

Let me try the changes you have made. Looks like several of the points you mention could be the cause. Looks like Gradle only recently started allowing signing plugins in their repository

Nek-12 commented 5 months ago

We are already using maven central as the first repository, so that must not be the issue.

hvisser commented 5 months ago

I don't have the direct URLs handy here but the maven central repository has the pom.xml.asc with the signature for the plugin descriptor, while the grade plugin portal repo hasn't. This is strange because it's basically the same maven publication so either the signed pom.xml isn't there yet when the upload happens from CI, or it's ignored by the plugin portal. For the next release I'll try to test this.

You might need to add maven central to your plugin repositories too if you haven't already. Since you get the not signed warning on the plugin descriptor pom, you must be getting the plugin from the plugin portal.