PGP Verify Plugin: How to verify dependency signatures?


(Misagh Moayyed) #1

In Maven, there exists:

How can one via gradle verify the signature of a downloaded artifact? Are there plugins available that already do this? Should we write one? Does gradle offer a way to verify?

(Marcin Zajączkowski) #2

There is gradle-witness plugin. Unfortunately it seems to be not actively developed anymore and there are some pending issues (like support for buildscript dependencies verification).

Anyway artifacts consistency does not seem to be high on the Gradle team priority list. There is an ability to verify sha256 signature of downloaded distribution (contributed by the community), but the official checksum for published distributions are not available (not to mention its OpenPGP/GPG signing).

(Misagh Moayyed) #3

I did give the witness plugin a try. It seems to only verify checksums against a preconfigured set of hash values. It does not quite deal with PGPs at all. Right?

(Marcin Zajączkowski) #4

Yes, you are completely right. I misread the question.

Anyway I wonder what kind of attack would you like to prevent? Binary artifact modification by the rogue Maven mirror?

(Misagh Moayyed) #5

Yes, exactly. I was sort of inspired by this article here:

…where there is a fair amount of good discussion on cross-build injection attacks.

I did look around, and found nothing that might do what the maven equivalent does. I might port a simplified version of the plugin over and use it for CAS ( but thought to check here and see if there are better ways of doing this.

(Florian Schmaus) #6

See also this related Stackoverflow question and answer. Disclaimer: The answer is by me.