Skip to content

[Security] Repository is vulnerable to MavenGate #16

New issue
New issue
Open
Open
[Security] Repository is vulnerable to MavenGate#16
@Nek-12

Description

@Nek-12
Nek-12
opened on Feb 2, 2024

https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/

Gradle task

./gradlew --write-verification-metadata pgp,sha256 --export-keys
 <component group="com.github.Commit451.coil-transformations" name="transformations" version="2.0.2">
         <artifact name="transformations-2.0.2.aar">
            <sha256 value="adbec226ce2c3a78b5e242e960971649b502cf3274aae421c48edd6bb94c7f56" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
         <artifact name="transformations-2.0.2.module">
            <sha256 value="58392a2a62b37ea8289a4633f9e4566c84ba5637806e6abbba87f14fac081aa4" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
      </component>

did not find a pgp public key in a remote repository or the artifact is not signed.
A fix is to:

  1. Start signing all artifacts, if not signed yet
  2. Upload a public pgp key used for signing artifacts to multiple public pgp repositories: https://keys.openpgp.org | https://pgp.mit.edu | https://keyserver.ubuntu.com/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions