Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add checksum-dependency-plugin to verify checksums and PGP signatures for dependency artifacts #9022

Closed
wants to merge 1 commit into from
Closed

Add checksum-dependency-plugin to verify checksums and PGP signatures for dependency artifacts #9022

wants to merge 1 commit into from

Conversation

vlsi
Copy link

@vlsi vlsi commented Sep 8, 2019

See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin

First time contributor checklist

Contributor checklist

  • My contribution is fully baked and ready to be merged as is

Description

checksum-dependency-plugin is a superset of gradle-witness, and it enables to increase the level of security.

Key features:

  • Gradle plugins can be verified (grade-witness doesn't track plugins)
  • All Gradle configurations are supported (e.g. java-library plugin is supported). checksum-dependency-plugin intercepts detached configurations as well (e.g. the ones that are created on demand)
  • PGP can be used for verification. PGP can be used with or without checksum. PGP enables to detect and prevent issues like https://blog.autsoft.hu/a-confusing-dependency/

Even though CONTRIBUTING.md says PGP is our guide for what not to do, I still think PGP for dependency verification is an improvement over existing gradle-witness, and it does not really introduce PGP to the app itself.

Note: I have not removed gradle-witness yet, however this PR makes gradle-witness obsolete.

@vlsi
Copy link
Author

vlsi commented Sep 8, 2019

Note: default configuration is satisfied if a dependency is signed with a relevant group PGP key.
Certain dependencies miss PGP (e.g. aar files for some reason), then checksum-dependency resorts to SHA-512.

@vlsi
Copy link
Author

vlsi commented Dec 24, 2019

Hi, I see the PR has not yet been reviewed.

You might be interested that Gradle 6.2 introduces in-core dependency verification

It means you might consider upgrading Gradle and using in-core verification.

The documentation for the new feature can be reviewed here: gradle/gradle#11755

From what I know Gradle would cover more cases when compared with checksum-dependency-plugin. For instance, it will be able to verify pom.xml which are implicitly fetched by Gradle when resolving transitive dependencies and probably other cases.

Some bits can be previewed in the current release candidates, release nightly builds and master nightly builds (see https://gradle.org/releases/ )

It would be nice if you could preview the feature and provide your feedback.

@alan-signal
Copy link
Contributor

Interesting thank you, I'm keeping an eye on it.

@stale
Copy link

stale bot commented Jan 26, 2022

Is this still relevant? If so, what is blocking it? Is there anything you can do to help move it forward?

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the wontfix label Jan 26, 2022
@stale stale bot closed this Feb 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
wontfix
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@vlsi @alan-signal