purge gradle-witness until it is compatible with 'implementation'
https://github.com/signalapp/gradle-witness/issues/27
This commit is contained in:
Hans-Christoph Steiner
parent
518537f23a
commit
40fdccf262
|
|
@ -1,5 +1,4 @@
|
|||
apply plugin: 'com.android.application'
|
||||
apply plugin: 'witness'
|
||||
apply plugin: 'checkstyle'
|
||||
apply plugin: 'pmd'
|
||||
|
||||
|
|
@ -58,58 +57,6 @@ dependencies {
|
|||
androidTestImplementation 'com.android.support.test:rules:0.5'
|
||||
}
|
||||
|
||||
// generate using: `gradle -q calculateChecksums | sort -V`
|
||||
dependencyVerification {
|
||||
verify = [
|
||||
'android.arch.core:common:d34824b794bc92ff8f647a9bb13a7c73de920de5b47075b5d2c4f0770e9b8bfd',
|
||||
'android.arch.core:runtime:83400f7575bcfb8a2eeec64e05590f037bfaed1e56aa3a4214d20e55878445e3',
|
||||
'android.arch.lifecycle:common:614e31cfd33255dc4d5f5d8e62cfa6be2fbbc2a35643a79dc3ed008004c30807',
|
||||
'android.arch.lifecycle:livedata-core:14e57ff8ffb65a80c7e72d91f2076acccdaf2970f234c6261e03a6127eb5206b',
|
||||
'android.arch.lifecycle:runtime:094fd793924dd6a5136753e599ac8174a8147f4a401386b694ba7d818c223e2e',
|
||||
'android.arch.lifecycle:viewmodel:6407c93a5ea9850661dca42a0068d6f3deccefd7228ee69bae1c35d70cbc2557',
|
||||
'cc.mvdan.accesspoint:library:0837b38adb48b66bb1385adb6ade8ecce7002ad815c55abf13517c82193458ea',
|
||||
'ch.acra:acra:d2762968c448757a7d6acc9f141881d9632f664988e9723ece33b5f7c79f3bc9',
|
||||
'commons-io:commons-io:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474',
|
||||
'commons-net:commons-net:c25b0da668b3c5649f002d504def22d1b4cb30d206f05428d2fe168fa1a901c2',
|
||||
'com.android.support.constraint:constraint-layout-solver:fcb4c7d705754ca3d69b1b2c3caf445a425599fda8caabbcf855d98ea0663e4e',
|
||||
'com.android.support.constraint:constraint-layout:d490188709b7bb2f11609beadd7e5eb7538892f308828ec3ff261a74e6ecf47e',
|
||||
'com.android.support:animated-vector-drawable:59670473f6e98fda792f7bef25dd7292b0a3106031c7a5e30eb020bf26f077bd',
|
||||
'com.android.support:appcompat-v7:0c7808fbbc5838d831e32e3c0a6f84e1f2c981deb8f11e010650f2b57923a335',
|
||||
'com.android.support:cardview-v7:8ed955dd037d82a7b4bbcaedb4f896523c3e4c1bf3ca698ce807c350767a2886',
|
||||
'com.android.support:design:7225973f7ee03765008a9c2f17a40b154c6885169fef022276e811c926a2202c',
|
||||
'com.android.support:gridlayout-v7:2f5af33c4be1d3e4e3fa999323265718ac1a4c81df4c0373d6ce8901613b1671',
|
||||
'com.android.support:palette-v7:6d24037fb375c7884f878edeb88c812b87a05c69221513507ecea21c257d6314',
|
||||
'com.android.support:preference-v7:a1798a826b4097d00e49280f412b21af08f9bf1179c2e3838dc339d9f843416d',
|
||||
'com.android.support:recyclerview-v7:d735e4727878e99ef3980c10d15dc3468462fd509d4fb60cb8bd20b0f735085c',
|
||||
'com.android.support:support-annotations:3365960206c3d2b09e845f555e7f88f8effc8d2f00b369e66c4be384029299cf',
|
||||
'com.android.support:support-compat:880ce01ff5be42b233ff8ec0c61cefb7dc3dc9500fea9e24423214813ac27ea2',
|
||||
'com.android.support:support-core-ui:a3ae20e6d5dffba69ac97b99846d2738003af8563843d5f3c9dc4c35b4804241',
|
||||
'com.android.support:support-core-utils:61036832c54e8701aae954fc3bf96d1d80bf8d9dd531bff77d72def456ba087a',
|
||||
'com.android.support:support-fragment:ec72d6ac36a1a0e6523bbddba33d73ffad070b9b3dd246cc44d8727a41ddb5e6',
|
||||
'com.android.support:support-media-compat:55e9837dda88b74a8c812c63a78c63fd83c6c039a8c22d318492663a493585eb',
|
||||
'com.android.support:support-v4:4f41dfc3e89f2738e45c86264a85c0934d055ee8ebe2020e23c97f303b80a48b',
|
||||
'com.android.support:support-vector-drawable:1c0f421114cf4627cf208776d6eb4f76340c78b7e96fe6e12b3e6eb950caf1b9',
|
||||
'com.android.support:transition:c0765b2f3c78696567ec5b3f519d22da1e3df11ac994625adf4bb4dc571caacc',
|
||||
'com.ashokvarma.android:bottom-navigation-bar:f18d740e1777927ad761349298b5d4981cd9f6d2abe70f505abf415ae069baaa',
|
||||
'com.fasterxml.jackson.core:jackson-annotations:6b7802f6c22c09c4a92a2ebeb76e755c3c0a58dfbf419835fae470d89e469b86',
|
||||
'com.fasterxml.jackson.core:jackson-core:256ff34118ab292d1b4f3ee4d2c3e5e5f0f609d8e07c57e8ad1f51c46d4fbb46',
|
||||
'com.fasterxml.jackson.core:jackson-databind:4f74337b6d18664be0f5b15c6664b17aa3972c9c175092328b139b894ff66f19',
|
||||
'com.google.zxing:core:52dd6211bbaf4e600de693834d597e49707f3e6606e1f5d3740fbb8274466abe',
|
||||
'com.hannesdorfmann:adapterdelegates3:1b20d099d6e7afe57aceca13b713b386959d94a247c3c06a7aeb65b866ece02f',
|
||||
'com.nostra13.universalimageloader:universal-image-loader:dbd5197ffec3a8317533190870a7c00ff3750dd6a31241448c6a5522d51b65b4',
|
||||
'eu.chainfire:libsuperuser:018344ff19ee94d252c14b4a503ee8b519184db473a5af83513f5837c413b128',
|
||||
'info.guardianproject.netcipher:netcipher:eeeb5d0d95ccfe176b4296cbd71a9a24c6efb0bab5c4025a8c6bc36abdddfc75',
|
||||
'info.guardianproject.panic:panic:a7ed9439826db2e9901649892cf9afbe76f00991b768d8f4c26332d7c9406cb2',
|
||||
'io.reactivex:rxandroid:35c1a90f8c1f499db3c1f3d608e1f191ac8afddb10c02dd91ef04c03a0a4bcda',
|
||||
'io.reactivex:rxjava:2c162afd78eba217cdfee78b60e85d3bfb667db61e12bc95e3cf2ddc5beeadf6',
|
||||
'org.bouncycastle:bcpkix-jdk15on:601d85cfbcef76a1cb77cbf755a6234a4ba1d4c02a98d9a81028d471f388694f',
|
||||
'org.bouncycastle:bcprov-jdk15on:1c31e44e331d25e46d293b3e8ee2d07028a67db011e74cb2443285aed1d59c85',
|
||||
'org.jmdns:jmdns:24e7e3a50a579136400e8c9b0750399eb3c7558918bdf52c0ffa5e0fa5aad503',
|
||||
'org.nanohttpd:nanohttpd:de864c47818157141a24c9acb36df0c47d7bf15b7ff48c90610f3eb4e5df0e58',
|
||||
'org.slf4j:slf4j-api:e56288031f5e60652c06e7bb6e9fa410a61231ab54890f7b708fc6adc4107c5b',
|
||||
]
|
||||
}
|
||||
|
||||
def isCi = "true".equals(System.getenv("CI"))
|
||||
def preDexEnabled = "true".equals(System.getProperty("pre-dex", "true"))
|
||||
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@ buildscript {
|
|||
}
|
||||
dependencies {
|
||||
classpath 'com.android.tools.build:gradle:3.1.1'
|
||||
classpath files('libs/gradle-witness.jar')
|
||||
}
|
||||
}
|
||||
allprojects {
|
||||
|
|
|
|||
|
|
@ -1,19 +0,0 @@
|
|||
Copyright (c) 2014 Open Whisper Systems
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
in the Software without restriction, including without limitation the rights
|
||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
||||
copies of the Software, and to permit persons to whom the Software is
|
||||
furnished to do so, subject to the following conditions:
|
||||
|
||||
The above copyright notice and this permission notice shall be included in
|
||||
all copies or substantial portions of the Software.
|
||||
|
||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
||||
THE SOFTWARE.
|
||||
|
|
@ -1,127 +0,0 @@
|
|||
# Gradle Witness
|
||||
|
||||
A gradle plugin that enables static verification for remote dependencies.
|
||||
|
||||
Build systems like gradle and maven allow one to specify dependencies for versioned artifacts. An
|
||||
Android project might list dependencies like this:
|
||||
|
||||
dependency {
|
||||
compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
|
||||
compile 'com.android.support:support-v4:19.0.1'
|
||||
compile 'com.google.android.gcm:gcm-client:1.0.2'
|
||||
compile 'se.emilsjolander:stickylistheaders:2.2.0'
|
||||
}
|
||||
|
||||
This allows the sample Android project to very easily make use of versioned third party libraries like
|
||||
[ActionBarSherlock](http://actionbarsherlock.com/), or [StickyListHeaders](https://github.com/emilsjolander/StickyListHeaders).
|
||||
During the build process, gradle will automatically retrieve the libraries from the configured
|
||||
maven repositories and incorporate them into the build. This makes it easy to manage dependencies
|
||||
without having to check jars into a project's source tree.
|
||||
|
||||
## Dependency Problems
|
||||
|
||||
A "published" maven/gradle artifact [looks like this](https://github.com/WhisperSystems/maven/tree/master/gson/releases/org/whispersystems/gson/2.2.4):
|
||||
|
||||
gson-2.2.4.jar
|
||||
gson-2.2.4.jar.md5
|
||||
gson-2.2.4.jar.sha1
|
||||
gson-2.2.4.pom
|
||||
gson-2.2.4.pom.md5
|
||||
gson-2.2.4.pom.sha1
|
||||
|
||||
In the remote directory, the artifact consists of a POM file and a jar or aar, along with md5sum and
|
||||
sha1sum hash values for those files.
|
||||
|
||||
When gradle retrieves the artifact, it will also retrieve the md5sum and sha1sums to verify that
|
||||
they match the calculated md5sum and sha1sum of the retrieved files. The problem, obviously, is
|
||||
that if someone is able to compromise the remote maven repository and change the jar/aar for a
|
||||
dependency to include some malicious functionality, they could just as easily change the md5sum
|
||||
and sha1sum values the repository advertises as well.
|
||||
|
||||
## The Witness Solution
|
||||
|
||||
This gradle plugin simply allows the author of a project to statically specify the sha256sum of
|
||||
the dependencies that it uses. For our dependency example above, `gradle-witness` would allow
|
||||
the project to specify:
|
||||
|
||||
dependency {
|
||||
compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
|
||||
compile 'com.android.support:support-v4:19.0.1'
|
||||
compile 'com.google.android.gcm:gcm-client:1.0.2'
|
||||
compile 'se.emilsjolander:stickylistheaders:2.2.0'
|
||||
}
|
||||
|
||||
dependencyVerification {
|
||||
verify = [
|
||||
'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819',
|
||||
'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585',
|
||||
'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca',
|
||||
'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6',
|
||||
]
|
||||
}
|
||||
|
||||
The `dependency` definition is the same, but `gradle-witness` allows one to also specify a
|
||||
`dependencyVerification` definition as well. That definition should include a single list called
|
||||
`verify` with elements in the format of `group_id:name:sha256sum`.
|
||||
|
||||
At this point, running `gradle build` will first verify that all of the listed dependencies have
|
||||
the specified sha256sums. If there's a mismatch, the build is aborted. If the remote repository
|
||||
is later compromised, an attacker won't be able to undetectably modify these artifacts.
|
||||
|
||||
## Using Witness
|
||||
|
||||
Unfortunately, it doesn't make sense to publish `gradle-witness` as an artifact, since that
|
||||
creates a bootstrapping problem. To use `gradle-witness`, the jar needs to be built and included
|
||||
in your project:
|
||||
|
||||
$ git clone https://github.com/WhisperSystems/gradle-witness.git
|
||||
$ cd gradle-witness
|
||||
$ gradle build
|
||||
$ cp build/libs/gradle-witness.jar /path/to/your/project/libs/gradle-witness.jar
|
||||
|
||||
Then in your project's `build.gradle`, the buildscript needs to add a `gradle-witness` dependency.
|
||||
It might look something like:
|
||||
|
||||
buildscript {
|
||||
repositories {
|
||||
mavenCentral()
|
||||
}
|
||||
dependencies {
|
||||
classpath 'com.android.tools.build:gradle:0.9.+'
|
||||
classpath files('libs/gradle-witness.jar')
|
||||
}
|
||||
}
|
||||
|
||||
apply plugin: 'witness'
|
||||
|
||||
At this point you can use `gradle-witness` in your project. If you're feeling "trusting on first
|
||||
use," you can have `gradle-witness` calculate the sha256sum for all your project's dependencies
|
||||
(and transitive dependencies!) for you:
|
||||
|
||||
$ gradle -q calculateChecksums
|
||||
|
||||
This will print the full `dependencyVerification` definition to include in the project's `build.gradle`.
|
||||
For a project that has a dependency definition like:
|
||||
|
||||
dependency {
|
||||
compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
|
||||
compile 'com.android.support:support-v4:19.0.1'
|
||||
compile 'com.google.android.gcm:gcm-client:1.0.2'
|
||||
compile 'se.emilsjolander:stickylistheaders:2.2.0'
|
||||
}
|
||||
|
||||
Running `gradle -q calculateChecksums` will print:
|
||||
|
||||
dependencyVerification {
|
||||
verify = [
|
||||
'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819',
|
||||
'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585',
|
||||
'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca',
|
||||
'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6',
|
||||
]
|
||||
}
|
||||
|
||||
...which you can then include directly below the `dependency` definition in the project's `build.gradle`.
|
||||
|
||||
And that's it! From then on, running a standard `gradle build` will verify the integrity of
|
||||
the project's dependencies.
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apply plugin: 'groovy'
|
||||
|
||||
dependencies {
|
||||
compile gradleApi()
|
||||
compile localGroovy()
|
||||
}
|
||||
|
||||
sourceCompatibility = '1.7'
|
||||
targetCompatibility = '1.7'
|
||||
|
||||
|
|
@ -1,64 +0,0 @@
|
|||
package org.whispersystems.witness
|
||||
|
||||
import org.gradle.api.InvalidUserDataException
|
||||
import org.gradle.api.Plugin
|
||||
import org.gradle.api.Project
|
||||
import org.gradle.api.artifacts.ResolvedArtifact
|
||||
|
||||
import java.security.MessageDigest
|
||||
|
||||
class WitnessPluginExtension {
|
||||
List verify
|
||||
}
|
||||
|
||||
class WitnessPlugin implements Plugin<Project> {
|
||||
|
||||
static String calculateSha256(file) {
|
||||
MessageDigest md = MessageDigest.getInstance("SHA-256");
|
||||
file.eachByte 4096, {bytes, size ->
|
||||
md.update(bytes, 0, size);
|
||||
}
|
||||
return md.digest().collect {String.format "%02x", it}.join();
|
||||
}
|
||||
|
||||
void apply(Project project) {
|
||||
project.extensions.create("dependencyVerification", WitnessPluginExtension)
|
||||
project.afterEvaluate {
|
||||
project.dependencyVerification.verify.each {
|
||||
assertion ->
|
||||
List parts = assertion.tokenize(":")
|
||||
String group = parts.get(0)
|
||||
String name = parts.get(1)
|
||||
String hash = parts.get(2)
|
||||
|
||||
ResolvedArtifact dependency = project.configurations.compile.resolvedConfiguration.resolvedArtifacts.find {
|
||||
return it.name.equals(name) && it.moduleVersion.id.group.equals(group)
|
||||
}
|
||||
|
||||
println "Verifying " + group + ":" + name
|
||||
|
||||
if (dependency == null) {
|
||||
throw new InvalidUserDataException("No dependency for integrity assertion found: " + group + ":" + name)
|
||||
}
|
||||
|
||||
if (!hash.equals(calculateSha256(dependency.file))) {
|
||||
throw new InvalidUserDataException("Checksum failed for " + assertion)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
project.task('calculateChecksums') << {
|
||||
println "dependencyVerification {"
|
||||
println " verify = ["
|
||||
|
||||
project.configurations.compile.resolvedConfiguration.resolvedArtifacts.each {
|
||||
dep ->
|
||||
println " '" + dep.moduleVersion.id.group+ ":" + dep.name + ":" + calculateSha256(dep.file) + "',"
|
||||
}
|
||||
|
||||
println " ]"
|
||||
println "}"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -1 +0,0 @@
|
|||
implementation-class=org.whispersystems.witness.WitnessPlugin
|
||||
Binary file not shown.
|
|
@ -1,6 +0,0 @@
|
|||
gradle-witness.jar was obtained by running `gradle build` inside the directory
|
||||
extern/gradle-witness/ in this repository. The source code for the groovy
|
||||
plugin and its license can be found there.
|
||||
|
||||
We must prebuild a jar for this plugin since gradle plugins can't be used
|
||||
directly from source.
|
||||
Loading…
Reference in New Issue