Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Lazy illegal signing of snapshot module

Prior to this change, configuring signing in the build would always fail.

It now fails only if signing effectively happens.

  1. … 1 more file in changeset.
Lazy illegal signing of snapshot module

Prior to this change, configuring signing in the build would always fail.

It now fails only if signing effectively happens.

    • -0
    • +34
    ./gradle/plugins/signing/InvalidSignature.java
  1. … 1 more file in changeset.
Make it impossible to sign GMM file if snapshot

This commit, hopefully temporarily, makes it impossible to sign

a Gradle Module Metadata file if the version is a snapshot.

The reason is that the signature which would be produced would

be for the raw, unmodified module file. However, the final

file would be modified in case of a snapshot to include the

timestamp version instead of the `-SNAPSHOT` version for artifacts,

which means that the signature wouldn't match anymore.

To avoid this, we simply disallow signing in this case.

  1. … 1 more file in changeset.
Make it impossible to sign GMM file if snapshot

This commit, hopefully temporarily, makes it impossible to sign

a Gradle Module Metadata file if the version is a snapshot.

The reason is that the signature which would be produced would

be for the raw, unmodified module file. However, the final

file would be modified in case of a snapshot to include the

timestamp version instead of the `-SNAPSHOT` version for artifacts,

which means that the signature wouldn't match anymore.

To avoid this, we simply disallow signing in this case.

  1. … 1 more file in changeset.
Make it impossible to sign GMM file if snapshot

This commit, hopefully temporarily, makes it impossible to sign

a Gradle Module Metadata file if the version is a snapshot.

The reason is that the signature which would be produced would

be for the raw, unmodified module file. However, the final

file would be modified in case of a snapshot to include the

timestamp version instead of the `-SNAPSHOT` version for artifacts,

which means that the signature wouldn't match anymore.

To avoid this, we simply disallow signing in this case.

  1. … 1 more file in changeset.
Remove deprecated APIs

Remove use of deprecated API

Remove use of deprecated APIs in PluginBuilder

Replace use of archiveName with archiveFileName

Avoid more deprecated APIs

  1. … 64 more files in changeset.
Remove use of deprecated API

Remove use of deprecated APIs in PluginBuilder

Replace use of archiveName with archiveFileName

Avoid more deprecated APIs

  1. … 64 more files in changeset.
Remove use of deprecated API

Remove use of deprecated APIs in PluginBuilder

Replace use of archiveName with archiveFileName

Avoid more deprecated APIs

  1. … 64 more files in changeset.
Explicitly expect auto-tested samples to use deprecatied APIs

  1. … 3 more files in changeset.
Merge branch 'inmem-subkey-signing' of https://github.com/szhem/gradle

* 'inmem-subkey-signing' of https://github.com/szhem/gradle:

Annotating additional useInMemoryPgpKeys that accepts keyId with @since 6.0 to respect binary compatibility checks Issue: #10363

Adding integration tests for samples which use in-memory signing subkeys Issue: #10363

Updating user guide to respect information about in-memory signing subkeys Issue: #10363

Added git issue number to the integration test according to the contribution guide Issue: #10363

Updating docs in order to show how to use in-memory subkeys Issue: #10363

Reverting back comments of useInMemoryPgpKeys Issue: #10363

Supporting in-memory signing subkeys Issue: #10363

  1. … 1 more file in changeset.
Fix some lgtm alerts

  1. … 11 more files in changeset.
signing plugin: use SHA512 instead of SHA1 when signing artifacts

PGP signs a digest, so MITM is still possible provided an attacker can update

the artifact in such a way that its SHA1 is intact.

Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930

Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>

De-incubate signing pre-5.0

Fix the "signing" plugin wrt maven plugin deprecation

  1. … 4 more files in changeset.
Fix the "signing" plugin wrt maven plugin deprecation

  1. … 4 more files in changeset.
Fix the "signing" plugin wrt maven plugin deprecation

  1. … 4 more files in changeset.
Annotating additional useInMemoryPgpKeys that accepts keyId with @since 6.0 to respect binary compatibility checks Issue: #10363

Signed-off-by: Sergey Zhemzhitsky <szhemzhitski@gmail.com>

Reverting back comments of useInMemoryPgpKeys Issue: #10363

Signed-off-by: Sergey Zhemzhitsky <szhemzhitski@gmail.com>

Supporting in-memory signing subkeys Issue: #10363

Signed-off-by: Sergey Zhemzhitsky <szhemzhitski@gmail.com>

  1. … 1 more file in changeset.
Merge branch 'release'

  1. … 6 more files in changeset.
Merge remote-tracking branch 'origin/master-test' into release-test

  1. … 5 more files in changeset.
Deduplicate sign task inputs

Multiple inputs can be defined that point at the same file.

  1. … 2 more files in changeset.
Merge pull request #10292 from gradle/gh/deprecations/taskcontainer

Make deprecated task container methods an error

Remove references to task removal

  1. … 2 more files in changeset.
Make public type SignOperation abstract

    • -0
    • +22
    ./gradle/plugins/signing/internal/SignOperationInternal.java
  1. … 1 more file in changeset.
Make public type SignOperation abstract

  1. … 2 more files in changeset.
Remove deprecated methods: getInputFiles() and getOutputFiles()

  1. … 2 more files in changeset.
Sign task ignores missing files

This is a similar lenient behavior as in the publishing plugins.

Signing will now still work if Gradle Module Metadata was disabled

by disabling the corresponding 'generateMetadataFileFor...' task.

  1. … 2 more files in changeset.
Sign task ignores missing files

This is a similar lenient behavior as in the publishing plugins.

Signing will now still work if Gradle Module Metadata was disabled

by disabling the corresponding 'generateMetadataFileFor...' task.

  1. … 2 more files in changeset.