We want to thank Vladimir Sitnikov who originally reported this vulnerability to us and contributed a fix.
Impact
Users publishing to artifact servers like Maven Central are required to upload files signed with GPG/PGP and a .asc file containing the signature.
Before Gradle 6.0, the signing plugin that created these .asc files used a SHA1 digest, which is considered cryptographically broken and is known to be vulnerable to second-preimage attacks. Note that .asc file embeds its own digest and it is not related to checksum .sha1 and .md5 files.
Users who are concerned that their upstream artifact servers may be compromised use GPG/PGP signatures to verify that artifacts are legitimate. You can read more about this type of vulnerability at CWE-327: Use of a Broken or Risky Cryptographic Algorithm.
Patches
This vulnerability has been fixed in Gradle 6.0.
Workarounds
If you are unable to upgrade the version of Gradle you are using, you can consider doing the following:
- Use gpg executable for signing, and ensure it defaults to strong digests. Gradle 5.x requires that you specify a signing key id via signing.gnupg.keyName property when using gpg executable (see #8657).
- Ask your users to check multiple checksums like SHA1 and MD5 (both are required by Maven Central). Although both of these hashing algorithms are considered cryptographically broken, creating a malicious file that matches both a published SHA1 and MD5 hash has not yet been publicly proven to have occurred yet.
- Publish stronger checksums like SHA256 or SHA512.
How do I check if an .asc file is using SHA1?
You can use gpg or pgpdump utilities to verify if a given .asc file is strong or not.
Using gpg, the following command prints "digest algo 2" when a SHA1 digest is used.
gpg --list-packets file.jar.asc
Using pgpdump, the following command prints "Hash alg - SHA1(hash 2)" when a SHA1 digest is used.
For more information
We want to thank Vladimir Sitnikov who originally reported this vulnerability to us and contributed a fix.
Impact
Users publishing to artifact servers like Maven Central are required to upload files signed with GPG/PGP and a
.ascfile containing the signature.Before Gradle 6.0, the
signingplugin that created these.ascfiles used a SHA1 digest, which is considered cryptographically broken and is known to be vulnerable to second-preimage attacks. Note that.ascfile embeds its own digest and it is not related to checksum.sha1and.md5files.Users who are concerned that their upstream artifact servers may be compromised use GPG/PGP signatures to verify that artifacts are legitimate. You can read more about this type of vulnerability at CWE-327: Use of a Broken or Risky Cryptographic Algorithm.
Patches
This vulnerability has been fixed in Gradle 6.0.
Workarounds
If you are unable to upgrade the version of Gradle you are using, you can consider doing the following:
How do I check if an
.ascfile is using SHA1?You can use gpg or pgpdump utilities to verify if a given
.ascfile is strong or not.Using
gpg, the following command prints "digest algo 2" when a SHA1 digest is used.Using
pgpdump, the following command prints "Hash alg - SHA1(hash 2)" when a SHA1 digest is used.For more information