This allows the sample Android project to very easily make use of versioned third party libraries like
ActionBarSherlock, or StickyListHeaders.
During the build process, gradle will automatically retrieve the libraries from the configured
maven repositories and incorporate them into the build. This makes it easy to manage dependencies
without having to check jars into a project's source tree.
In the remote directory, the artifact consists of a POM file and a jar or aar, along with md5sum and
sha1sum hash values for those files.
When gradle retrieves the artifact, it will also retrieve the md5sum and sha1sums to verify that
they match the calculated md5sum and sha1sum of the retrieved files. The problem, obviously, is
that if someone is able to compromise the remote maven repository and change the jar/aar for a
dependency to include some malicious functionality, they could just as easily change the md5sum
and sha1sum values the repository advertises as well.
The Witness Solution
This gradle plugin simply allows the author of a project to statically specify the sha256sum of
the dependencies that it uses. For our dependency example above, gradle-witness would allow
the project to specify:
The dependency definition is the same, but gradle-witness allows one to also specify a
dependencyVerification definition as well. That definition should include a single list called
verify with elements in the format of group_id:name:sha256sum.
At this point, running gradle build will first verify that all of the listed dependencies have
the specified sha256sums. If there's a mismatch, the build is aborted. If the remote repository
is later compromised, an attacker won't be able to undetectably modify these artifacts.
Using Witness
Unfortunately, it doesn't make sense to publish gradle-witness as an artifact, since that
creates a bootstrapping problem. To use gradle-witness, the jar needs to be built and included
in your project:
At this point you can use gradle-witness in your project. If you're feeling "trusting on first
use," you can have gradle-witness calculate the sha256sum for all your project's dependencies
(and transitive dependencies!) for you:
$ gradle -q calculateChecksums
This will print the full dependencyVerification definition to include in the project's build.gradle.
For a project that has a dependency definition like:
请发表评论