Signing Plugin: SHA1 used when signing artifacts
We want to thank Vladimir Sitnikov who originally reported this vulnerability to us and contributed a fix.
Users publishing to artifact servers like Maven Central are required to upload files signed with GPG/PGP and a
.asc file containing the signature.
Before Gradle 6.0, the
signing plugin that created these
.asc files used a SHA1 digest, which is considered cryptographically broken and is known to be vulnerable to second-preimage attacks. Note that
.asc file embeds its own digest and it is not related to checksum
Users who are concerned that their upstream artifact servers may be compromised use GPG/PGP signatures to verify that artifacts are legitimate. You can read more about this type of vulnerability at CWE-327: Use of a Broken or Risky Cryptographic Algorithm.
This vulnerability has been fixed in Gradle 6.0.
If you are unable to upgrade the version of Gradle you are using, you can consider doing the following:
- Use gpg executable for signing, and ensure it defaults to strong digests. Gradle 5.x requires that you specify a signing key id via signing.gnupg.keyName property when using gpg executable (see #8657).
- Ask your users to check multiple checksums like SHA1 and MD5 (both are required by Maven Central). Although both of these hashing algorithms are considered cryptographically broken, creating a malicious file that matches both a published SHA1 and MD5 hash has not yet been publicly proven to have occurred yet.
- Publish stronger checksums like SHA256 or SHA512.
How do I check if an
.asc file is using SHA1?
You can use gpg or pgpdump utilities to verify if a given
.asc file is strong or not.
gpg, the following command prints "digest algo 2" when a SHA1 digest is used.
gpg --list-packets file.jar.asc
pgpdump, the following command prints "Hash alg - SHA1(hash 2)" when a SHA1 digest is used.