[Security] Plugin descriptor pom.xml is not signed on Gradle Plugin portal

[Nek-12]

https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/

Gradle task

./gradlew --write-verification-metadata pgp,sha256 --export-keys

did not find a pgp public key in a remote repository or the artifact is not signed.

 <component group="nl.littlerobots.vcu" name="plugin" version="0.8.3">
         <artifact name="plugin-0.8.3.jar">
            <sha256 value="2690b387c075400f5f9f37b0dae064bcd6589c9d0ce5c0a4f217e72c11ec7fab" origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
         </artifact>
         <artifact name="plugin-0.8.3.module">
            <sha256 value="2e7348d2410398cf98bb5e47d938d5ce71b852950ce7bd22f8f64c627a85d36f" origin="Generated by Gradle" reason="A key couldn't be downloaded"/>
         </artifact>
      </component>
      <component group="nl.littlerobots.version-catalog-update" name="nl.littlerobots.version-catalog-update.gradle.plugin" version="0.8.3">
         <artifact name="nl.littlerobots.version-catalog-update.gradle.plugin-0.8.3.pom">
            <sha256 value="5c3e08a859878658c9b944edc61b1fe6bd686f44c0ea32fe306e963c5ae42f1c" origin="Generated by Gradle" reason="Artifact is not signed">
               <also-trust value="92e803172f9f0b5ea3dc993102247b357c5d241f41f8823e24166f8ea652cf16"/>
            </sha256>
         </artifact>
      </component>>

A fix is to:

1. Start signing all artifacts, if not signed yet
2. Upload a public pgp key used for signing artifacts to multiple public pgp repositories: https://keys.openpgp.org | https://pgp.mit.edu | https://keyserver.ubuntu.com/

[hvisser]

As you mention, the artifacts are signed, except for the plugin descriptor pom.

I've checked both the Gradle Plugin Portal and Maven Central and the artifacts are signed with this key that is
published on the ubuntu keyserver https://keyserver.ubuntu.com/pks/lookup?search=3FCFA3B530AFDCE3&fingerprint=on&op=index. This is a requirement for publishing on Maven Central.

It seems like Gradle is not using this key server, or at least not for every key. You can specify to use that keyserver too. I've also uploaded my key to the openpgp keyserver.

As for the plugin descriptor, I'll check if that can be fixed.

[hvisser]

This only affects the signing of the plugin marker pom on the Gradle Plugin Portal. If you need a signed pom for current versions, make sure you use the mavenCentral repository which has all artifacts signed correctly.

[Nek-12]

Let me try the changes you have made. Looks like several of the points you mention could be the cause. Looks like Gradle only recently started allowing signing plugins in their repository

[Nek-12]

We are already using maven central as the first repository, so that must not be the issue.

[hvisser]

I don't have the direct URLs handy here but the maven central repository has the pom.xml.asc with the signature for the plugin descriptor, while the grade plugin portal repo hasn't. This is strange because it's basically the same maven publication so either the signed pom.xml isn't there yet when the upload happens from CI, or it's ignored by the plugin portal. For the next release I'll try to test this.

You might need to add maven central to your plugin repositories too if you haven't already. Since you get the not signed warning on the plugin descriptor pom, you must be getting the plugin from the plugin portal.