Need guidance on how to set up dependency signature verification when using plugin

Question

Need guidance on how to set up dependency signature verification when using plugin

Closed this issue 4 months ago · 6 comments

Recently, several PGP keys have been used to sign plugin artifacts on plugins.gradle.org:

Versions < 0.4.1 are signed using PGP key 7B79ADD11F8A779FE90FD3D0893A028475557671
Versions 0.4.1 — 1.0.0 are signed using PGP key 314FE82E5A4C5377BCA2EDEC5208812E1E4A6DB0
Version 1.0.0 is signed using PGP key 7B79ADD11F8A779FE90FD3D0893A028475557671 again.

Also, this plugin is applied differently than other plugins, and the method of bootstrapping dependency verification file with gradle --write-verification-metadata pgp,sha256 does not work here.

It would be great if there was a paragraph in the README with instructions on how to set up verification metadata file when using this plugin in a project with dependency verification enabled (what should be in verification-metadata.xml?).

Answer 1 · 2023-11-28T21:51:04.000Z

Thanks for the report. The PGP key used for signing was rotated for the 0.4.1 release, and the new key should have been used for all subsequent releases. The signing process is automated, and I don't understand why the old key was used to sign the 1.0.0 release yesterday.

I'll look into it.

Answer 2 · 2023-12-18T12:09:15.000Z

When running this plugin on a bunch of open source repositories, I used -Dorg.gradle.dependency.verification=off as a workaround . It may work for you, but it disables the verification for all dependencies, so use with care.

Answer 3 · 2023-12-18T12:42:37.000Z

Now I add both keys to the trusted-keys list:

<trusted-keys>
    <trusted-key id="314FE82E5A4C5377BCA2EDEC5208812E1E4A6DB0">
        <trusting group="com.gradle" name="gradle-enterprise-gradle-plugin"/>
        <trusting group="org.gradle" name="github-dependency-graph-gradle-plugin"/>
    </trusted-key>
    <trusted-key id="7B79ADD11F8A779FE90FD3D0893A028475557671">
        <trusting group="com.gradle" name="gradle-enterprise-gradle-plugin"/>
        <trusting group="org.gradle" name="github-dependency-graph-gradle-plugin"/>
    </trusted-key>
</trusted-keys>

This works, but I had doubts about the correctness of this approach due to key changes

Answer 4 · 2024-04-05T22:01:24.000Z

I'm confused. Using --write-verification-metadata pgp,sha256 seems to generate the correct dependency-verification.xml file when this plugin is loaded via an init-script.

The trusted key used with all versions from 1.0.0 onward is 7B79ADD11F8A779FE90FD3D0893A028475557671.

I've added a short section to the README about this.

Answer 5 · 2024-04-05T22:45:37.000Z

Looks like this section got lost somewhere? I can't find it in the README.

Answer 6 · 2024-04-05T22:49:58.000Z

Oops. "Preview" in GitHub doesn't auto-commit :)...

https://github.com/gradle/github-dependency-graph-gradle-plugin/blob/main/README.md#dependency-verification