We want to thank Vladimir Sitnikov who originally reported this vulnerability to us and contributed a fix.
Impact
Users publishing to artifact servers like Maven Central are required to upload files signed with GPG/PGP and a .asc
file containing the signature.
Before Gradle 6.0, the signing
plugin that created these .asc
files used a SHA1 digest, which is considered cryptographically broken and is known to be vulnerable to second-preimage attacks. Note that .asc
file embeds its own digest and it is not related to checksum .sha1
and .md5
files.
Users who are concerned that their upstream artifact servers may be compromised use GPG/PGP signatures to verify that artifacts are legitimate. You can read more about this type of vulnerability at CWE-327: Use of a Broken or Risky Cryptographic Algorithm.
Patches
This vulnerability has been fixed in Gradle 6.0.
Workarounds
If you are unable to upgrade the version of Gradle you are using, you can consider doing the following:
- Use gpg executable for signing, and ensure it defaults to strong digests. Gradle 5.x requires that you specify a signing key id via signing.gnupg.keyName property when using gpg executable (see #8657).
- Ask your users to check multiple checksums like SHA1 and MD5 (both are required by Maven Central). Although both of these hashing algorithms are considered cryptographically broken, creating a malicious file that matches both a published SHA1 and MD5 hash has not yet been publicly proven to have occurred yet.
- Publish stronger checksums like SHA256 or SHA512.
How do I check if an .asc
file is using SHA1?
You can use gpg or pgpdump utilities to verify if a given .asc
file is strong or not.
Using gpg
, the following command prints "digest algo 2" when a SHA1 digest is used.
gpg --list-packets file.jar.asc
Using pgpdump
, the following command prints "Hash alg - SHA1(hash 2)" when a SHA1 digest is used.
For more information
We want to thank Vladimir Sitnikov who originally reported this vulnerability to us and contributed a fix.
Impact
Users publishing to artifact servers like Maven Central are required to upload files signed with GPG/PGP and a
.asc
file containing the signature.Before Gradle 6.0, the
signing
plugin that created these.asc
files used a SHA1 digest, which is considered cryptographically broken and is known to be vulnerable to second-preimage attacks. Note that.asc
file embeds its own digest and it is not related to checksum.sha1
and.md5
files.Users who are concerned that their upstream artifact servers may be compromised use GPG/PGP signatures to verify that artifacts are legitimate. You can read more about this type of vulnerability at CWE-327: Use of a Broken or Risky Cryptographic Algorithm.
Patches
This vulnerability has been fixed in Gradle 6.0.
Workarounds
If you are unable to upgrade the version of Gradle you are using, you can consider doing the following:
How do I check if an
.asc
file is using SHA1?You can use gpg or pgpdump utilities to verify if a given
.asc
file is strong or not.Using
gpg
, the following command prints "digest algo 2" when a SHA1 digest is used.Using
pgpdump
, the following command prints "Hash alg - SHA1(hash 2)" when a SHA1 digest is used.For more information