-
-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Plugin descriptor pom.xml is not signed on Gradle Plugin portal #141
Comments
As you mention, the artifacts are signed, except for the plugin descriptor pom. I've checked both the Gradle Plugin Portal and Maven Central and the artifacts are signed with this key that is It seems like Gradle is not using this key server, or at least not for every key. You can specify to use that keyserver too. I've also uploaded my key to the openpgp keyserver. As for the plugin descriptor, I'll check if that can be fixed. |
This only affects the signing of the plugin marker pom on the Gradle Plugin Portal. If you need a signed pom for current versions, make sure you use the |
Let me try the changes you have made. Looks like several of the points you mention could be the cause. Looks like Gradle only recently started allowing signing plugins in their repository |
We are already using maven central as the first repository, so that must not be the issue. |
I don't have the direct URLs handy here but the maven central repository has the pom.xml.asc with the signature for the plugin descriptor, while the grade plugin portal repo hasn't. This is strange because it's basically the same maven publication so either the signed pom.xml isn't there yet when the upload happens from CI, or it's ignored by the plugin portal. For the next release I'll try to test this. You might need to add maven central to your plugin repositories too if you haven't already. Since you get the not signed warning on the plugin descriptor pom, you must be getting the plugin from the plugin portal. |
https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/
Gradle task
did not find a pgp public key in a remote repository or the artifact is not signed.
A fix is to:
The text was updated successfully, but these errors were encountered: