September 30, 2020

gradle dependency verification freaks out and stops verifying .pom files

By eighthave

I was quite happy to see that gradle added a nice dependency verification system, based on the property of the Maven Repository ecosystem: once a file is published, it should never change. That means that any given library version should have the same SHA-256 forever. So those can be bundled into a local file and then no matter where a JAR comes from, it’ll have the same SHA-256. Then PGP signatures can be used as a root of trust when including the SHA-256 for new versions or libraries.

So far, I was impressed, they made a tool to make it relatively easy to setup, and it seemed to verify everything, unlike the very limited capabilities of previous offerings like gradle-witness. But yesterday, the whole thing blew up in my face and refused to verify in an unchanged system, even when running on GitLab CI. It seems that the .pom files were deleted before they were verified. So I get errors like this: 
Dependency verification is an incubating feature.

FAILURE: Build failed with an exception.

* What went wrong:
A problem occurred configuring root project 'client'.
> Dependency verification failed for configuration ':classpath'
  4 artifacts failed verification:
    - all-1.2.0.pom (com.sun.activation:all:1.2.0) from repository MavenRepo
    - jvnet-parent-1.pom (net.java:jvnet-parent:1) from repository MavenRepo
    - oss-parent-7.pom (org.sonatype.oss:oss-parent:7) from repository MavenRepo
    - oss-parent-9.pom (org.sonatype.oss:oss-parent:9) from repository MavenRepo
  This can indicate that a dependency has been compromised. Please carefully verify the checksums.
  
  Open this report for more details: file:///home/hans/code/fdroid/client/build/reports/dependency-verification/at-1601466825911/dependency-verification-report.html

* Try:
Run with --stacktrace option to get the stack trace. Run with --info or --debug option to get more log output. Run with --scan to get full insights.

* Get more help at https://help.gradle.org

BUILD FAILED in 913ms
My workaround is to set <verify-metadata>false</verify-metadata> which disabled verifying the .pom files.
This entry was posted on Wednesday, September 30th, 2020 at 8:07 am and tagged with , , , , and posted in Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed.

You must be logged in to post a comment.