Search in sources :

Example 1 with PublicKeyService

use of org.gradle.security.internal.PublicKeyService in project gradle by gradle.

the class DependencyVerifier method doVerifyArtifact.

private void doVerifyArtifact(ModuleComponentArtifactIdentifier foundArtifact, ChecksumService checksumService, SignatureVerificationService signatureVerificationService, File file, File signature, ArtifactVerificationResultBuilder builder) {
    PublicKeyService publicKeyService = signatureVerificationService.getPublicKeyService();
    ComponentVerificationMetadata componentVerification = verificationMetadata.get(toStringKey(foundArtifact.getComponentIdentifier()));
    if (componentVerification != null) {
        String foundArtifactFileName = foundArtifact.getFileName();
        List<ArtifactVerificationMetadata> verifications = componentVerification.getArtifactVerifications();
        for (ArtifactVerificationMetadata verification : verifications) {
            String verifiedArtifact = verification.getArtifactName();
            if (verifiedArtifact.equals(foundArtifactFileName)) {
                if (signature == null && config.isVerifySignatures()) {
                    builder.failWith(new MissingSignature(file));
                }
                if (signature != null) {
                    DefaultSignatureVerificationResultBuilder result = new DefaultSignatureVerificationResultBuilder(file, signature);
                    verifySignature(signatureVerificationService, file, signature, allTrustedKeys(foundArtifact, verification.getTrustedPgpKeys()), allIgnoredKeys(verification.getIgnoredPgpKeys()), result);
                    if (result.hasOnlyIgnoredKeys()) {
                        builder.failWith(new OnlyIgnoredKeys(file));
                        if (verification.getChecksums().isEmpty()) {
                            builder.failWith(new MissingChecksums(file));
                            return;
                        } else {
                            verifyChecksums(checksumService, file, verification, builder);
                            return;
                        }
                    }
                    if (result.hasError()) {
                        builder.failWith(result.asError(publicKeyService));
                        return;
                    }
                }
                verifyChecksums(checksumService, file, verification, builder);
                return;
            }
        }
    }
    if (signature != null) {
        // it's possible that the artifact is not listed explicitly but we can still verify signatures
        DefaultSignatureVerificationResultBuilder result = new DefaultSignatureVerificationResultBuilder(file, signature);
        verifySignature(signatureVerificationService, file, signature, allTrustedKeys(foundArtifact, Collections.emptySet()), allIgnoredKeys(Collections.emptySet()), result);
        if (result.hasError()) {
            builder.failWith(result.asError(publicKeyService));
            return;
        } else if (!result.hasOnlyIgnoredKeys()) {
            return;
        }
    }
    builder.failWith(new MissingChecksums(file));
}
Also used : ArtifactVerificationMetadata(org.gradle.api.internal.artifacts.verification.model.ArtifactVerificationMetadata) PublicKeyService(org.gradle.security.internal.PublicKeyService) ComponentVerificationMetadata(org.gradle.api.internal.artifacts.verification.model.ComponentVerificationMetadata)

Example 2 with PublicKeyService

use of org.gradle.security.internal.PublicKeyService in project gradle by gradle.

the class WriteDependencyVerificationFile method exportKeyRingCollection.

private void exportKeyRingCollection(PublicKeyService publicKeyService, BuildTreeDefinedKeys keyrings, Set<String> publicKeys) throws IOException {
    List<PGPPublicKeyRing> existingRings = loadExistingKeyRing(keyrings);
    PGPPublicKeyRingListBuilder builder = new PGPPublicKeyRingListBuilder();
    for (String publicKey : publicKeys) {
        if (publicKey.length() <= 16) {
            publicKeyService.findByLongId(new BigInteger(publicKey, 16).longValue(), builder);
        } else {
            publicKeyService.findByFingerprint(Fingerprint.fromString(publicKey).getBytes(), builder);
        }
    }
    List<PGPPublicKeyRing> keysSeenInVerifier = builder.build().stream().filter(WriteDependencyVerificationFile::hasAtLeastOnePublicKey).filter(e -> existingRings.stream().noneMatch(ring -> keyIds(ring).equals(keyIds(e)))).collect(Collectors.toList());
    ImmutableList<PGPPublicKeyRing> allKeyRings = ImmutableList.<PGPPublicKeyRing>builder().addAll(existingRings).addAll(keysSeenInVerifier).build();
    File keyringFile = keyrings.getBinaryKeyringsFile();
    writeBinaryKeyringFile(keyringFile, allKeyRings);
    File asciiArmoredFile = keyrings.getAsciiKeyringsFile();
    writeAsciiArmoredKeyRingFile(asciiArmoredFile, allKeyRings);
    LOGGER.lifecycle("Exported {} keys to {} and {}", allKeyRings.size(), keyringFile, asciiArmoredFile);
}
Also used : DependencyVerificationOverride(org.gradle.api.internal.artifacts.ivyservice.ivyresolve.verification.DependencyVerificationOverride) SignatureVerificationResultBuilder(org.gradle.api.internal.artifacts.verification.signatures.SignatureVerificationResultBuilder) ChecksumService(org.gradle.internal.hash.ChecksumService) UncheckedException(org.gradle.internal.UncheckedException) PublicKeyService(org.gradle.security.internal.PublicKeyService) ModuleComponentRepository(org.gradle.api.internal.artifacts.ivyservice.ivyresolve.ModuleComponentRepository) ProjectInternal(org.gradle.api.internal.project.ProjectInternal) DependencyVerificationException(org.gradle.api.internal.artifacts.verification.DependencyVerificationException) PGPPublicKeyRing(org.bouncycastle.openpgp.PGPPublicKeyRing) BigInteger(java.math.BigInteger) ChecksumKind(org.gradle.api.internal.artifacts.verification.model.ChecksumKind) ImmutableSet(com.google.common.collect.ImmutableSet) Project(org.gradle.api.Project) Files.getNameWithoutExtension(com.google.common.io.Files.getNameWithoutExtension) DependencyVerificationsXmlReader(org.gradle.api.internal.artifacts.verification.serializer.DependencyVerificationsXmlReader) SignatureVerificationServiceFactory(org.gradle.api.internal.artifacts.verification.signatures.SignatureVerificationServiceFactory) DependencyVerifier(org.gradle.api.internal.artifacts.verification.verifier.DependencyVerifier) Set(java.util.Set) PGPPublicKey(org.bouncycastle.openpgp.PGPPublicKey) IgnoredKey(org.gradle.api.internal.artifacts.verification.model.IgnoredKey) BuildOperationDescriptor(org.gradle.internal.operations.BuildOperationDescriptor) Collectors(java.util.stream.Collectors) Sets(com.google.common.collect.Sets) Gradle(org.gradle.api.invocation.Gradle) FileNotFoundException(java.io.FileNotFoundException) StandardCharsets(java.nio.charset.StandardCharsets) ArtifactView(org.gradle.api.artifacts.ArtifactView) List(java.util.List) Stream(java.util.stream.Stream) BuildOperationExecutor(org.gradle.internal.operations.BuildOperationExecutor) DefaultKeyServers(org.gradle.api.internal.artifacts.ivyservice.ivyresolve.verification.DefaultKeyServers) Factory(org.gradle.internal.Factory) DeprecatableConfiguration(org.gradle.internal.deprecation.DeprecatableConfiguration) DependencyVerifyingModuleComponentRepository(org.gradle.api.internal.artifacts.ivyservice.ivyresolve.DependencyVerifyingModuleComponentRepository) DependencyVerificationConfiguration(org.gradle.api.internal.artifacts.verification.verifier.DependencyVerificationConfiguration) AtomicReference(java.util.concurrent.atomic.AtomicReference) UncheckedIOException(org.gradle.api.UncheckedIOException) Logger(org.gradle.api.logging.Logger) BuildOperationQueue(org.gradle.internal.operations.BuildOperationQueue) Configuration(org.gradle.api.artifacts.Configuration) ArtifactVerificationOperation(org.gradle.api.internal.artifacts.ivyservice.ivyresolve.verification.ArtifactVerificationOperation) RunnableBuildOperation(org.gradle.internal.operations.RunnableBuildOperation) ImmutableList(com.google.common.collect.ImmutableList) BuildTreeDefinedKeys(org.gradle.api.internal.artifacts.verification.signatures.BuildTreeDefinedKeys) DependencyVerificationsXmlWriter(org.gradle.api.internal.artifacts.verification.serializer.DependencyVerificationsXmlWriter) Fingerprint(org.gradle.security.internal.Fingerprint) OutputStream(java.io.OutputStream) PublicKeyResultBuilder(org.gradle.security.internal.PublicKeyResultBuilder) Action(org.gradle.api.Action) Iterator(java.util.Iterator) SignatureVerificationService(org.gradle.api.internal.artifacts.verification.signatures.SignatureVerificationService) DependencyVerifierBuilder(org.gradle.api.internal.artifacts.verification.verifier.DependencyVerifierBuilder) FileOutputStream(java.io.FileOutputStream) IOException(java.io.IOException) FileInputStream(java.io.FileInputStream) File(java.io.File) ModuleComponentIdentifier(org.gradle.api.artifacts.component.ModuleComponentIdentifier) ResolutionStrategyInternal(org.gradle.api.internal.artifacts.configurations.ResolutionStrategyInternal) ArmoredOutputStream(org.bouncycastle.bcpg.ArmoredOutputStream) Logging(org.gradle.api.logging.Logging) SecuritySupport(org.gradle.security.internal.SecuritySupport) ModuleComponentArtifactIdentifier(org.gradle.internal.component.external.model.ModuleComponentArtifactIdentifier) BuildOperationContext(org.gradle.internal.operations.BuildOperationContext) PGPUtils(org.gradle.api.internal.artifacts.ivyservice.ivyresolve.verification.utils.PGPUtils) Collections(java.util.Collections) PGPPublicKeyRing(org.bouncycastle.openpgp.PGPPublicKeyRing) BigInteger(java.math.BigInteger) File(java.io.File)

Example 3 with PublicKeyService

use of org.gradle.security.internal.PublicKeyService in project gradle by gradle.

the class DefaultSignatureVerificationServiceFactory method create.

@Override
public SignatureVerificationService create(BuildTreeDefinedKeys keyrings, List<URI> keyServers, boolean useKeyServers) {
    boolean refreshKeys = this.refreshKeys || !useKeyServers;
    ExternalResourceRepository repository = transportFactory.createTransport("https", "https", Collections.emptyList(), redirectLocations -> {
    }).getRepository();
    PublicKeyService keyService;
    if (useKeyServers) {
        PublicKeyDownloadService keyDownloadService = new PublicKeyDownloadService(ImmutableList.copyOf(keyServers), repository);
        keyService = new CrossBuildCachingKeyService(cacheRepository, decoratorFactory, buildOperationExecutor, keyDownloadService, timeProvider, refreshKeys);
    } else {
        keyService = EmptyPublicKeyService.getInstance();
    }
    keyService = keyrings.applyTo(keyService);
    File effectiveKeyringsFile = keyrings.getEffectiveKeyringsFile();
    HashCode keyringFileHash = effectiveKeyringsFile != null && effectiveKeyringsFile.exists() ? fileHasher.hash(effectiveKeyringsFile) : NO_KEYRING_FILE_HASH;
    DefaultSignatureVerificationService delegate = new DefaultSignatureVerificationService(keyService);
    return new CrossBuildSignatureVerificationService(delegate, fileHasher, buildScopedCache, decoratorFactory, timeProvider, refreshKeys, useKeyServers, keyringFileHash);
}
Also used : Hashing(org.gradle.internal.hash.Hashing) BuildCommencedTimeProvider(org.gradle.util.internal.BuildCommencedTimeProvider) AtomicBoolean(java.util.concurrent.atomic.AtomicBoolean) FileHasher(org.gradle.internal.hash.FileHasher) UncheckedException(org.gradle.internal.UncheckedException) ImmutableList(com.google.common.collect.ImmutableList) PublicKeyService(org.gradle.security.internal.PublicKeyService) BuildScopedCache(org.gradle.cache.scopes.BuildScopedCache) PGPPublicKeyRing(org.bouncycastle.openpgp.PGPPublicKeyRing) InMemoryCacheDecoratorFactory(org.gradle.cache.internal.InMemoryCacheDecoratorFactory) PublicKeyDownloadService(org.gradle.security.internal.PublicKeyDownloadService) URI(java.net.URI) Fingerprint(org.gradle.security.internal.Fingerprint) PGPException(org.bouncycastle.openpgp.PGPException) RepositoryTransportFactory(org.gradle.api.internal.artifacts.repositories.transport.RepositoryTransportFactory) Scopes(org.gradle.internal.service.scopes.Scopes) PGPSignatureList(org.bouncycastle.openpgp.PGPSignatureList) PublicKeyResultBuilder(org.gradle.security.internal.PublicKeyResultBuilder) SecuritySupport.toLongIdHexString(org.gradle.security.internal.SecuritySupport.toLongIdHexString) ExternalResourceRepository(org.gradle.internal.resource.ExternalResourceRepository) PGPSignature(org.bouncycastle.openpgp.PGPSignature) Set(java.util.Set) PGPPublicKey(org.bouncycastle.openpgp.PGPPublicKey) IOException(java.io.IOException) ServiceScope(org.gradle.internal.service.scopes.ServiceScope) HashCode(org.gradle.internal.hash.HashCode) File(java.io.File) UncheckedIOException(java.io.UncheckedIOException) List(java.util.List) BuildOperationExecutor(org.gradle.internal.operations.BuildOperationExecutor) SecuritySupport(org.gradle.security.internal.SecuritySupport) GlobalScopedCache(org.gradle.cache.scopes.GlobalScopedCache) EmptyPublicKeyService(org.gradle.security.internal.EmptyPublicKeyService) Collections(java.util.Collections) HashCode(org.gradle.internal.hash.HashCode) PublicKeyService(org.gradle.security.internal.PublicKeyService) EmptyPublicKeyService(org.gradle.security.internal.EmptyPublicKeyService) PublicKeyDownloadService(org.gradle.security.internal.PublicKeyDownloadService) File(java.io.File) ExternalResourceRepository(org.gradle.internal.resource.ExternalResourceRepository)

Aggregations

PublicKeyService (org.gradle.security.internal.PublicKeyService)3 ImmutableList (com.google.common.collect.ImmutableList)2 File (java.io.File)2 IOException (java.io.IOException)2 Collections (java.util.Collections)2 List (java.util.List)2 Set (java.util.Set)2 PGPPublicKey (org.bouncycastle.openpgp.PGPPublicKey)2 PGPPublicKeyRing (org.bouncycastle.openpgp.PGPPublicKeyRing)2 UncheckedException (org.gradle.internal.UncheckedException)2 BuildOperationExecutor (org.gradle.internal.operations.BuildOperationExecutor)2 Fingerprint (org.gradle.security.internal.Fingerprint)2 PublicKeyResultBuilder (org.gradle.security.internal.PublicKeyResultBuilder)2 SecuritySupport (org.gradle.security.internal.SecuritySupport)2 ImmutableSet (com.google.common.collect.ImmutableSet)1 Sets (com.google.common.collect.Sets)1 Files.getNameWithoutExtension (com.google.common.io.Files.getNameWithoutExtension)1 FileInputStream (java.io.FileInputStream)1 FileNotFoundException (java.io.FileNotFoundException)1 FileOutputStream (java.io.FileOutputStream)1