We want to thank Marcin Zajączkowski who originally reported this vulnerability to us.

Impact

Users that sign artifacts using the built-in signing plugin with gpg-agent may be affected. If you do not sign your artifacts, you are not affected.

At INFO and DEBUG level logging, Gradle prints the full command-line of every executed process. When signing artifacts with gpg, Gradle executes the gpg or gpg2 command-line tool and passes the passphrase for the private key as an argument. When INFO and DEBUG level logging is enabled, Gradle inadvertently logs the passphrase to the build log.

Users signing artifacts with gpg-agent are vulnerable with Gradle 4.5 through Gradle 6.4.x.

Patches

This behavior has been patched in Gradle 6.5.

Workarounds

If you are unable to upgrade, there are a few possible workarounds or mitigations:

1. Check that your CI system is masking your passphrase from logs
2. Check that your CI system is not using INFO or DEBUG level logging
3. Use the default Java implementation of PGP to sign your artifacts instead of gpg-agent
4. Fail the build if INFO or DEBUG level logging is used at the same time as signing

Fail the build when signing with INFO or DEBUG level

Groovy DSL:

gradle.taskGraph.whenReady { taskGraph ->
    if (taskGraph.allTasks.any { it instanceof Sign }) {
        assert gradle.startParameter.logLevel > LogLevel.INFO : 
            "Signing tasks can't be used with INFO or DEBUG logging"
    }
}

Kotlin DSL:

gradle.taskGraph.whenReady { 
    if (allTasks.any { task -> task is Sign }) {
        check(gradle.startParameter.logLevel > LogLevel.INFO) { 
            "Signing tasks can't be used with INFO or DEBUG logging." 
        }
    }
}

For more information

• For security related issues, please email us at security@gradle.com.
• For non-security related issues, please open an issue on GitHub.