Skip to content

Signing Plugin: SHA1 used when signing artifacts

big-guy published GHSA-mrm8-42q4-6rm7 Oct 1, 2019
Severity
low
Packages
Gradle (Java, Android, C/C++, Build Tooling)
Affected versions
< 6.0
Patched versions
6.0
CVE identifier
CVE-2019-16370

We want to thank Vladimir Sitnikov who originally reported this vulnerability to us and contributed a fix.

Impact

Users publishing to artifact servers like Maven Central are required to upload files signed with GPG/PGP and a .asc file containing the signature.

Before Gradle 6.0, the signing plugin that created these .asc files used a SHA1 digest, which is considered cryptographically broken and is known to be vulnerable to second-preimage attacks. Note that .asc file embeds its own digest and it is not related to checksum .sha1 and .md5 files.

Users who are concerned that their upstream artifact servers may be compromised use GPG/PGP signatures to verify that artifacts are legitimate. You can read more about this type of vulnerability at CWE-327: Use of a Broken or Risky Cryptographic Algorithm.

Patches

This vulnerability has been fixed in Gradle 6.0.

Workarounds

If you are unable to upgrade the version of Gradle you are using, you can consider doing the following:

  • Use gpg executable for signing, and ensure it defaults to strong digests. Gradle 5.x requires that you specify a signing key id via signing.gnupg.keyName property when using gpg executable (see #8657).
  • Ask your users to check multiple checksums like SHA1 and MD5 (both are required by Maven Central). Although both of these hashing algorithms are considered cryptographically broken, creating a malicious file that matches both a published SHA1 and MD5 hash has not yet been publicly proven to have occurred yet.
  • Publish stronger checksums like SHA256 or SHA512.

How do I check if an .asc file is using SHA1?

You can use gpg or pgpdump utilities to verify if a given .asc file is strong or not.

Using gpg, the following command prints "digest algo 2" when a SHA1 digest is used.

gpg --list-packets file.jar.asc

Using pgpdump, the following command prints "Hash alg - SHA1(hash 2)" when a SHA1 digest is used.

pgpdump file.jar.asc

For more information


You can’t perform that action at this time.