diff --git a/app/build.gradle b/app/build.gradle index dbf71223e..d1766e2d7 100644 --- a/app/build.gradle +++ b/app/build.gradle @@ -1,5 +1,4 @@ apply plugin: 'com.android.application' -apply plugin: 'witness' apply plugin: 'checkstyle' apply plugin: 'pmd' @@ -58,58 +57,6 @@ dependencies { androidTestImplementation 'com.android.support.test:rules:0.5' } -// generate using: `gradle -q calculateChecksums | sort -V` -dependencyVerification { - verify = [ - 'android.arch.core:common:d34824b794bc92ff8f647a9bb13a7c73de920de5b47075b5d2c4f0770e9b8bfd', - 'android.arch.core:runtime:83400f7575bcfb8a2eeec64e05590f037bfaed1e56aa3a4214d20e55878445e3', - 'android.arch.lifecycle:common:614e31cfd33255dc4d5f5d8e62cfa6be2fbbc2a35643a79dc3ed008004c30807', - 'android.arch.lifecycle:livedata-core:14e57ff8ffb65a80c7e72d91f2076acccdaf2970f234c6261e03a6127eb5206b', - 'android.arch.lifecycle:runtime:094fd793924dd6a5136753e599ac8174a8147f4a401386b694ba7d818c223e2e', - 'android.arch.lifecycle:viewmodel:6407c93a5ea9850661dca42a0068d6f3deccefd7228ee69bae1c35d70cbc2557', - 'cc.mvdan.accesspoint:library:0837b38adb48b66bb1385adb6ade8ecce7002ad815c55abf13517c82193458ea', - 'ch.acra:acra:d2762968c448757a7d6acc9f141881d9632f664988e9723ece33b5f7c79f3bc9', - 'commons-io:commons-io:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474', - 'commons-net:commons-net:c25b0da668b3c5649f002d504def22d1b4cb30d206f05428d2fe168fa1a901c2', - 'com.android.support.constraint:constraint-layout-solver:fcb4c7d705754ca3d69b1b2c3caf445a425599fda8caabbcf855d98ea0663e4e', - 'com.android.support.constraint:constraint-layout:d490188709b7bb2f11609beadd7e5eb7538892f308828ec3ff261a74e6ecf47e', - 'com.android.support:animated-vector-drawable:59670473f6e98fda792f7bef25dd7292b0a3106031c7a5e30eb020bf26f077bd', - 'com.android.support:appcompat-v7:0c7808fbbc5838d831e32e3c0a6f84e1f2c981deb8f11e010650f2b57923a335', - 'com.android.support:cardview-v7:8ed955dd037d82a7b4bbcaedb4f896523c3e4c1bf3ca698ce807c350767a2886', - 'com.android.support:design:7225973f7ee03765008a9c2f17a40b154c6885169fef022276e811c926a2202c', - 'com.android.support:gridlayout-v7:2f5af33c4be1d3e4e3fa999323265718ac1a4c81df4c0373d6ce8901613b1671', - 'com.android.support:palette-v7:6d24037fb375c7884f878edeb88c812b87a05c69221513507ecea21c257d6314', - 'com.android.support:preference-v7:a1798a826b4097d00e49280f412b21af08f9bf1179c2e3838dc339d9f843416d', - 'com.android.support:recyclerview-v7:d735e4727878e99ef3980c10d15dc3468462fd509d4fb60cb8bd20b0f735085c', - 'com.android.support:support-annotations:3365960206c3d2b09e845f555e7f88f8effc8d2f00b369e66c4be384029299cf', - 'com.android.support:support-compat:880ce01ff5be42b233ff8ec0c61cefb7dc3dc9500fea9e24423214813ac27ea2', - 'com.android.support:support-core-ui:a3ae20e6d5dffba69ac97b99846d2738003af8563843d5f3c9dc4c35b4804241', - 'com.android.support:support-core-utils:61036832c54e8701aae954fc3bf96d1d80bf8d9dd531bff77d72def456ba087a', - 'com.android.support:support-fragment:ec72d6ac36a1a0e6523bbddba33d73ffad070b9b3dd246cc44d8727a41ddb5e6', - 'com.android.support:support-media-compat:55e9837dda88b74a8c812c63a78c63fd83c6c039a8c22d318492663a493585eb', - 'com.android.support:support-v4:4f41dfc3e89f2738e45c86264a85c0934d055ee8ebe2020e23c97f303b80a48b', - 'com.android.support:support-vector-drawable:1c0f421114cf4627cf208776d6eb4f76340c78b7e96fe6e12b3e6eb950caf1b9', - 'com.android.support:transition:c0765b2f3c78696567ec5b3f519d22da1e3df11ac994625adf4bb4dc571caacc', - 'com.ashokvarma.android:bottom-navigation-bar:f18d740e1777927ad761349298b5d4981cd9f6d2abe70f505abf415ae069baaa', - 'com.fasterxml.jackson.core:jackson-annotations:6b7802f6c22c09c4a92a2ebeb76e755c3c0a58dfbf419835fae470d89e469b86', - 'com.fasterxml.jackson.core:jackson-core:256ff34118ab292d1b4f3ee4d2c3e5e5f0f609d8e07c57e8ad1f51c46d4fbb46', - 'com.fasterxml.jackson.core:jackson-databind:4f74337b6d18664be0f5b15c6664b17aa3972c9c175092328b139b894ff66f19', - 'com.google.zxing:core:52dd6211bbaf4e600de693834d597e49707f3e6606e1f5d3740fbb8274466abe', - 'com.hannesdorfmann:adapterdelegates3:1b20d099d6e7afe57aceca13b713b386959d94a247c3c06a7aeb65b866ece02f', - 'com.nostra13.universalimageloader:universal-image-loader:dbd5197ffec3a8317533190870a7c00ff3750dd6a31241448c6a5522d51b65b4', - 'eu.chainfire:libsuperuser:018344ff19ee94d252c14b4a503ee8b519184db473a5af83513f5837c413b128', - 'info.guardianproject.netcipher:netcipher:eeeb5d0d95ccfe176b4296cbd71a9a24c6efb0bab5c4025a8c6bc36abdddfc75', - 'info.guardianproject.panic:panic:a7ed9439826db2e9901649892cf9afbe76f00991b768d8f4c26332d7c9406cb2', - 'io.reactivex:rxandroid:35c1a90f8c1f499db3c1f3d608e1f191ac8afddb10c02dd91ef04c03a0a4bcda', - 'io.reactivex:rxjava:2c162afd78eba217cdfee78b60e85d3bfb667db61e12bc95e3cf2ddc5beeadf6', - 'org.bouncycastle:bcpkix-jdk15on:601d85cfbcef76a1cb77cbf755a6234a4ba1d4c02a98d9a81028d471f388694f', - 'org.bouncycastle:bcprov-jdk15on:1c31e44e331d25e46d293b3e8ee2d07028a67db011e74cb2443285aed1d59c85', - 'org.jmdns:jmdns:24e7e3a50a579136400e8c9b0750399eb3c7558918bdf52c0ffa5e0fa5aad503', - 'org.nanohttpd:nanohttpd:de864c47818157141a24c9acb36df0c47d7bf15b7ff48c90610f3eb4e5df0e58', - 'org.slf4j:slf4j-api:e56288031f5e60652c06e7bb6e9fa410a61231ab54890f7b708fc6adc4107c5b', - ] -} - def isCi = "true".equals(System.getenv("CI")) def preDexEnabled = "true".equals(System.getProperty("pre-dex", "true")) diff --git a/build.gradle b/build.gradle index 1c945f068..f2cffbd5d 100644 --- a/build.gradle +++ b/build.gradle @@ -11,7 +11,6 @@ buildscript { } dependencies { classpath 'com.android.tools.build:gradle:3.1.1' - classpath files('libs/gradle-witness.jar') } } allprojects { diff --git a/extern/gradle-witness/LICENSE b/extern/gradle-witness/LICENSE deleted file mode 100644 index 9323adadf..000000000 --- a/extern/gradle-witness/LICENSE +++ /dev/null @@ -1,19 +0,0 @@ -Copyright (c) 2014 Open Whisper Systems - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software. - -THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -THE SOFTWARE. diff --git a/extern/gradle-witness/README.md b/extern/gradle-witness/README.md deleted file mode 100644 index 3fd82675d..000000000 --- a/extern/gradle-witness/README.md +++ /dev/null @@ -1,127 +0,0 @@ -# Gradle Witness - -A gradle plugin that enables static verification for remote dependencies. - -Build systems like gradle and maven allow one to specify dependencies for versioned artifacts. An -Android project might list dependencies like this: - - dependency { - compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar' - compile 'com.android.support:support-v4:19.0.1' - compile 'com.google.android.gcm:gcm-client:1.0.2' - compile 'se.emilsjolander:stickylistheaders:2.2.0' - } - -This allows the sample Android project to very easily make use of versioned third party libraries like -[ActionBarSherlock](http://actionbarsherlock.com/), or [StickyListHeaders](https://github.com/emilsjolander/StickyListHeaders). -During the build process, gradle will automatically retrieve the libraries from the configured -maven repositories and incorporate them into the build. This makes it easy to manage dependencies -without having to check jars into a project's source tree. - -## Dependency Problems - -A "published" maven/gradle artifact [looks like this](https://github.com/WhisperSystems/maven/tree/master/gson/releases/org/whispersystems/gson/2.2.4): - - gson-2.2.4.jar - gson-2.2.4.jar.md5 - gson-2.2.4.jar.sha1 - gson-2.2.4.pom - gson-2.2.4.pom.md5 - gson-2.2.4.pom.sha1 - -In the remote directory, the artifact consists of a POM file and a jar or aar, along with md5sum and -sha1sum hash values for those files. - -When gradle retrieves the artifact, it will also retrieve the md5sum and sha1sums to verify that -they match the calculated md5sum and sha1sum of the retrieved files. The problem, obviously, is -that if someone is able to compromise the remote maven repository and change the jar/aar for a -dependency to include some malicious functionality, they could just as easily change the md5sum -and sha1sum values the repository advertises as well. - -## The Witness Solution - -This gradle plugin simply allows the author of a project to statically specify the sha256sum of -the dependencies that it uses. For our dependency example above, `gradle-witness` would allow -the project to specify: - - dependency { - compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar' - compile 'com.android.support:support-v4:19.0.1' - compile 'com.google.android.gcm:gcm-client:1.0.2' - compile 'se.emilsjolander:stickylistheaders:2.2.0' - } - - dependencyVerification { - verify = [ - 'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819', - 'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585', - 'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca', - 'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6', - ] - } - -The `dependency` definition is the same, but `gradle-witness` allows one to also specify a -`dependencyVerification` definition as well. That definition should include a single list called -`verify` with elements in the format of `group_id:name:sha256sum`. - -At this point, running `gradle build` will first verify that all of the listed dependencies have -the specified sha256sums. If there's a mismatch, the build is aborted. If the remote repository -is later compromised, an attacker won't be able to undetectably modify these artifacts. - -## Using Witness - -Unfortunately, it doesn't make sense to publish `gradle-witness` as an artifact, since that -creates a bootstrapping problem. To use `gradle-witness`, the jar needs to be built and included -in your project: - - $ git clone https://github.com/WhisperSystems/gradle-witness.git - $ cd gradle-witness - $ gradle build - $ cp build/libs/gradle-witness.jar /path/to/your/project/libs/gradle-witness.jar - -Then in your project's `build.gradle`, the buildscript needs to add a `gradle-witness` dependency. -It might look something like: - - buildscript { - repositories { - mavenCentral() - } - dependencies { - classpath 'com.android.tools.build:gradle:0.9.+' - classpath files('libs/gradle-witness.jar') - } - } - - apply plugin: 'witness' - -At this point you can use `gradle-witness` in your project. If you're feeling "trusting on first -use," you can have `gradle-witness` calculate the sha256sum for all your project's dependencies -(and transitive dependencies!) for you: - - $ gradle -q calculateChecksums - -This will print the full `dependencyVerification` definition to include in the project's `build.gradle`. -For a project that has a dependency definition like: - - dependency { - compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar' - compile 'com.android.support:support-v4:19.0.1' - compile 'com.google.android.gcm:gcm-client:1.0.2' - compile 'se.emilsjolander:stickylistheaders:2.2.0' - } - -Running `gradle -q calculateChecksums` will print: - - dependencyVerification { - verify = [ - 'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819', - 'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585', - 'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca', - 'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6', - ] - } - -...which you can then include directly below the `dependency` definition in the project's `build.gradle`. - -And that's it! From then on, running a standard `gradle build` will verify the integrity of -the project's dependencies. diff --git a/extern/gradle-witness/build.gradle b/extern/gradle-witness/build.gradle deleted file mode 100644 index 988a3bfcb..000000000 --- a/extern/gradle-witness/build.gradle +++ /dev/null @@ -1,10 +0,0 @@ -apply plugin: 'groovy' - -dependencies { - compile gradleApi() - compile localGroovy() -} - -sourceCompatibility = '1.7' -targetCompatibility = '1.7' - diff --git a/extern/gradle-witness/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy b/extern/gradle-witness/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy deleted file mode 100644 index eb9123d7c..000000000 --- a/extern/gradle-witness/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy +++ /dev/null @@ -1,64 +0,0 @@ -package org.whispersystems.witness - -import org.gradle.api.InvalidUserDataException -import org.gradle.api.Plugin -import org.gradle.api.Project -import org.gradle.api.artifacts.ResolvedArtifact - -import java.security.MessageDigest - -class WitnessPluginExtension { - List verify -} - -class WitnessPlugin implements Plugin { - - static String calculateSha256(file) { - MessageDigest md = MessageDigest.getInstance("SHA-256"); - file.eachByte 4096, {bytes, size -> - md.update(bytes, 0, size); - } - return md.digest().collect {String.format "%02x", it}.join(); - } - - void apply(Project project) { - project.extensions.create("dependencyVerification", WitnessPluginExtension) - project.afterEvaluate { - project.dependencyVerification.verify.each { - assertion -> - List parts = assertion.tokenize(":") - String group = parts.get(0) - String name = parts.get(1) - String hash = parts.get(2) - - ResolvedArtifact dependency = project.configurations.compile.resolvedConfiguration.resolvedArtifacts.find { - return it.name.equals(name) && it.moduleVersion.id.group.equals(group) - } - - println "Verifying " + group + ":" + name - - if (dependency == null) { - throw new InvalidUserDataException("No dependency for integrity assertion found: " + group + ":" + name) - } - - if (!hash.equals(calculateSha256(dependency.file))) { - throw new InvalidUserDataException("Checksum failed for " + assertion) - } - } - } - - project.task('calculateChecksums') << { - println "dependencyVerification {" - println " verify = [" - - project.configurations.compile.resolvedConfiguration.resolvedArtifacts.each { - dep -> - println " '" + dep.moduleVersion.id.group+ ":" + dep.name + ":" + calculateSha256(dep.file) + "'," - } - - println " ]" - println "}" - } - } -} - diff --git a/extern/gradle-witness/src/main/resources/META-INF/gradle-plugins/witness.properties b/extern/gradle-witness/src/main/resources/META-INF/gradle-plugins/witness.properties deleted file mode 100644 index dae767f67..000000000 --- a/extern/gradle-witness/src/main/resources/META-INF/gradle-plugins/witness.properties +++ /dev/null @@ -1 +0,0 @@ -implementation-class=org.whispersystems.witness.WitnessPlugin diff --git a/libs/gradle-witness.jar b/libs/gradle-witness.jar deleted file mode 100644 index f68e2338f..000000000 Binary files a/libs/gradle-witness.jar and /dev/null differ diff --git a/libs/gradle-witness.txt b/libs/gradle-witness.txt deleted file mode 100644 index d21345450..000000000 --- a/libs/gradle-witness.txt +++ /dev/null @@ -1,6 +0,0 @@ -gradle-witness.jar was obtained by running `gradle build` inside the directory -extern/gradle-witness/ in this repository. The source code for the groovy -plugin and its license can be found there. - -We must prebuild a jar for this plugin since gradle plugins can't be used -directly from source.