Gradle wrapper download fails via http [new]

sandeshwani · November 5, 2019, 10:14pm

Suddenly all the builds which are using http to download gradlew are failing.

 ./gradlew tasks
Unzipping /Users/sandeshw/.gradle/wrapper/dists/gradle-2.14.1-bin/ev4hc1s4g1oc9yuae0b81rdza/gradle-2.14.1-bin.zip to /Users/sandeshw/.gradle/wrapper/dists/gradle-2.14.1-bin/ev4hc1s4g1oc9yuae0b81rdza
Exception in thread "main" java.util.zip.ZipException: zip file is empty
        at java.base/java.util.zip.ZipFile$Source.zerror(ZipFile.java:1252)
        at java.base/java.util.zip.ZipFile$Source.findEND(ZipFile.java:1072)
        at java.base/java.util.zip.ZipFile$Source.initCEN(ZipFile.java:1160)
        at java.base/java.util.zip.ZipFile$Source.<init>(ZipFile.java:997)
        at java.base/java.util.zip.ZipFile$Source.get(ZipFile.java:960)
        at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:216)
        at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:148)
        at java.base/java.util.zip.ZipFile.<init>(ZipFile.java:162)
        at org.gradle.wrapper.Install.unzip(Install.java:214)
        at org.gradle.wrapper.Install.access$600(Install.java:27)
        at org.gradle.wrapper.Install$1.call(Install.java:74)
        at org.gradle.wrapper.Install$1.call(Install.java:48)
        at org.gradle.wrapper.ExclusiveFileAccessManager.access(ExclusiveFileAccessManager.java:65)
        at org.gradle.wrapper.Install.createDist(Install.java:48)
        at org.gradle.wrapper.WrapperExecutor.execute(WrapperExecutor.java:128)
        at org.gradle.wrapper.GradleWrapperMain.main(GradleWrapperMain.java:61)

gradlew.properties configuration is:
distributionUrl=http\://services.gradle.org/distributions/gradle-2.14.1-bin.zip

It works if I change to use https:
distributionUrl=https\://services.gradle.org/distributions/gradle-2.14.1-bin.zip

We have 100s of the project with Http setting.
Do we need to change every project to use https instead of Http?

Seems familiar with the old post:

Bjorn_Vester · November 6, 2019, 11:31am

Yes, I believe you will have to do that for all your projects. You can read about the reasoning for this in the announcement here.

According to that, the default has been https since Gradle 1.2, and you are on 2.14.1. So it’s a bit weird that your wrappers are configured with plain http to begin with.

While annoying to change for that many projects, it is important that you do it from a security perspective. Right now you are vulnerable to a man-in-the-middle attack, and you should feel good about doing something about it.

JLLeitschuh · November 7, 2019, 5:06pm

Hi @sandeshwani,

I’m sorry to hear that this decommission is causing issues for you. It sounds like you may also potentially hitting this JDK bug from Java 1.3 where a URL Connection would not follow a redirect that had a protocol switch (ie. HTTP -> HTTPS). For the short term, if you can update to a JDK version that does not have that bug, this may fix your problem in the short term, however, in the longer term, you will have to migrate these builds to use HTTPS.

sandeshwani · November 7, 2019, 8:35pm

Thanks for the response. We are using JDK 1.8+ in every project.