Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262236

Configure Gradle checksum verification

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: openjfx17
    • Fix Version/s: openjfx17
    • Component/s: javafx
    • Labels:
    • Subcomponent:
    • CPU:
      generic
    • OS:
      generic

      Backports

        Description

        The Gradle Wrapper can verify the downloaded distribution with a SHA-256 hash sum comparison, but the Wrapper in the OpenJFX repository is not configured to do so. See the section "Verification of downloaded Gradle distributions" at:

        The Gradle Wrapper
        https://docs.gradle.org/current/userguide/gradle_wrapper.html

        SYSTEM / OS / JAVA RUNTIME INFORMATION

        My particular system is Ubuntu 20.04.2 LTS with OpenJDK 11.

        ------------------------------------------------------------------------
        $ uname -srm
        Linux 5.4.0-65-generic x86_64

        $ getconf GNU_LIBC_VERSION
        glibc 2.31

        $ java --version
        openjdk 11.0.10 2021-01-19
        OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
        OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
        ------------------------------------------------------------------------

        STEPS TO REPRODUCE

        Simulate a tampered Gradle distribution by modifying the 'gradle-6.3-bin.zip' file. Force the Gradle Wrapper to check the downloaded file by removing the 'gradle-6.3-bin.zip.ok' file.

        These files are found under my home directory in the locations shown below:

        ------------------------------------------------------------------------
        $ find .gradle -name "gradle-6.3-bin.zip*" | sort
        .gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip
        .gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip.lck
        .gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip.ok
        ------------------------------------------------------------------------

        I modified the JAR file without corrupting its archive by changing the sixth byte from '0x00' to '0x01' with the 'hexedit' program as follows:

        ------------------------------------------------------------------------
        Before: 50 4B 03 04 0A 00 00 08 ...
         After: 50 4B 03 04 0A 01 00 08 ...
        ------------------------------------------------------------------------

        EXPECTED RESULTS

        A tampered Gradle 6.3 distribution is detected:

        ------------------------------------------------------------------------
        $ bash gradlew --version
        Deleting directory /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/
          8tpu6egwsccjzp10c1jckl0rx/gradle-6.3
        Verification of Gradle distribution failed!

        Your Gradle distribution may have been tampered with.
        Confirm that the 'distributionSha256Sum' property in your gradle-wrapper.properties
          file is correct and you are downloading the wrapper from a trusted source.

         Distribution Url: https://services.gradle.org/distributions/gradle-6.3-bin.zip
        Download Location: /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip
        Expected checksum: '038794feef1f4745c6347107b6726279d1c824f3fc634b60f86ace1e9fbd1768'
          Actual checksum: '74a13e00995b49b2e7b1888818c24cd79f333dc12b21e07952796fc8b18e070f'
        ------------------------------------------------------------------------

        ACTUAL RESULT

        A tampered Gradle 6.3 distribution is not detected:

        ------------------------------------------------------------------------
        $ bash gradlew --version
        Deleting directory /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/
          8tpu6egwsccjzp10c1jckl0rx/gradle-6.3

        ------------------------------------------------------------
        Gradle 6.3
        ------------------------------------------------------------

        Build time: 2020-03-24 19:52:07 UTC
        Revision: bacd40b727b0130eeac8855ae3f9fd9a0b207c60

        Kotlin: 1.3.70
        Groovy: 2.5.10
        Ant: Apache Ant(TM) version 1.10.7 compiled on September 1 2019
        JVM: 11.0.10 (Ubuntu 11.0.10+9-Ubuntu-0ubuntu1.20.04)
        OS: Linux 5.4.0-65-generic amd64
        ------------------------------------------------------------------------

        SOURCE CODE FOR AN EXECUTABLE TEST CASE

        None.

        WORKAROUND

        To work around the problem, you could download the Gradle 6.3 distribution, verify its checksum manually, and use that instead of the Gradle Wrapper.

        You could also manually verify the distribution archive that was downloaded by the Gradle Wrapper, but that may be after it has already extracted and run the distribution.

          Attachments

            Issue Links

              Activity

                People

                Assignee:
                jgneff John Neffenger
                Reporter:
                jgneff John Neffenger
                Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved: