Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Improved: Dependency verification (OFBIZ-12186)
I just read an ASF members thread about this article: https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610 One member mentioned that the Groovy project is using the Gradle's dependency verification feature[1] in the Apache Groovy build. I suggest we do the same, even after the move from JCenter to MavenCentral where things should be safer. [1] https://docs.gradle.org/current/userguide/dependency_verification.html This commit includes: The verification-metadata.xml and verification-keyring.gpg used by the verification task *.gpg as binary in .gitattrubtes for verification-keyring.gpg The documentation about the verification in sy-dependency-verification.adoc with a link and some unrelated changes in security.adoc about security for OFBiz in production An empty line removed in build.gradle
- Loading branch information
1 parent
bcb76eb
commit c2c609d
Showing
6 changed files
with
8,865 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -39,3 +39,4 @@ rc.ofbiz.* text | |
*.zip binary | ||
*.jks binary | ||
*.ttf binary | ||
*.gpg binary |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
60 changes: 60 additions & 0 deletions
60
framework/security/src/docs/asciidoc/_include/sy-dependency-verification.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,60 @@ | ||
//// | ||
Licensed to the Apache Software Foundation (ASF) under one | ||
or more contributor license agreements. See the NOTICE file | ||
distributed with this work for additional information | ||
regarding copyright ownership. The ASF licenses this file | ||
to you under the Apache License, Version 2.0 (the | ||
"License"); you may not use this file except in compliance | ||
with the License. You may obtain a copy of the License at | ||
|
||
http://www.apache.org/licenses/LICENSE-2.0 | ||
|
||
Unless required by applicable law or agreed to in writing, | ||
software distributed under the License is distributed on an | ||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
KIND, either express or implied. See the License for the | ||
specific language governing permissions and limitations | ||
under the License. | ||
//// | ||
|
||
= Gradle Dependency Verification | ||
The Apache OFBiz Project | ||
Release trunk | ||
|
||
https://docs.gradle.org/current/userguide/dependency_verification.html[Here is the Gradle documentation about dependency verification] | ||
|
||
As it's a long read you might prefer this summary: | ||
|
||
NOTE: the dependency verification is an incubating feature. So we will wait before backporting from trunk... | ||
|
||
By default OFBiz comes with OOTB Gradle dependency verification. | ||
|
||
This means that it embeds a verification-metadata.xml file and a verification-keyring.gpg in OFBiz gradle sub-directory which is used during builds and other tasks to verify dependencies. | ||
|
||
These files are initially created using : | ||
|
||
TIP: gradlew --write-verification-metadata pgp,sha256 help + | ||
gradlew --write-verification-metadata pgp,sha256 --export-keys | ||
|
||
These command creates or updates the verification-metadata.xml and verification-keyring.gpg files which respectively contains the checksums for each of declared dependencies and the related keys | ||
|
||
|
||
Currently the status is it's incomplete in OFBiz. You get this message: | ||
|
||
* Some artifacts aren't signed or the signature couldn't be retrieved. | ||
* Some signature verification failed. Checksums were generated for those artifacts but you MUST check if there's an actual problem. Look for entries with the following comment: PGP verification failed | ||
PGP verification failed | ||
|
||
Only 6 keys are concerned. This does not prevent the verification to work using metadata, though it's better to check the situation in case of doubts (OK OTTB). You may use | ||
|
||
TIP: gradlew build --refresh-keys | ||
|
||
To recreate the keys | ||
|
||
The verification-metadata.xml file contains 2 entries that can be set to true or false to check or ignore the 2 functionalities: | ||
|
||
IMPORTANT: <verify-metadata>true</verify-metadata> + | ||
<verify-signatures>true</verify-signatures> | ||
|
||
|
||
Finally, you may refer to https://issues.apache.org/jira/browse/OFBIZ-12186 for more information. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.
Oops, something went wrong.