Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8262236

Configure Gradle checksum verification

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: P4
    • Resolution: Fixed
    • Affects Version/s: openjfx17
    • Fix Version/s: openjfx17
    • Component/s: javafx
    • Labels:
    • Subcomponent:
    • CPU:
      generic
    • OS:
      generic

      Description

      The Gradle Wrapper can verify the downloaded distribution with a SHA-256 hash sum comparison, but the Wrapper in the OpenJFX repository is not configured to do so. See the section "Verification of downloaded Gradle distributions" at:

      The Gradle Wrapper
      https://docs.gradle.org/current/userguide/gradle_wrapper.html

      SYSTEM / OS / JAVA RUNTIME INFORMATION

      My particular system is Ubuntu 20.04.2 LTS with OpenJDK 11.

      ------------------------------------------------------------------------
      $ uname -srm
      Linux 5.4.0-65-generic x86_64

      $ getconf GNU_LIBC_VERSION
      glibc 2.31

      $ java --version
      openjdk 11.0.10 2021-01-19
      OpenJDK Runtime Environment (build 11.0.10+9-Ubuntu-0ubuntu1.20.04)
      OpenJDK 64-Bit Server VM (build 11.0.10+9-Ubuntu-0ubuntu1.20.04, mixed mode, sharing)
      ------------------------------------------------------------------------

      STEPS TO REPRODUCE

      Simulate a tampered Gradle distribution by modifying the 'gradle-6.3-bin.zip' file. Force the Gradle Wrapper to check the downloaded file by removing the 'gradle-6.3-bin.zip.ok' file.

      These files are found under my home directory in the locations shown below:

      ------------------------------------------------------------------------
      $ find .gradle -name "gradle-6.3-bin.zip*" | sort
      .gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip
      .gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip.lck
      .gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip.ok
      ------------------------------------------------------------------------

      I modified the JAR file without corrupting its archive by changing the sixth byte from '0x00' to '0x01' with the 'hexedit' program as follows:

      ------------------------------------------------------------------------
      Before: 50 4B 03 04 0A 00 00 08 ...
       After: 50 4B 03 04 0A 01 00 08 ...
      ------------------------------------------------------------------------

      EXPECTED RESULTS

      A tampered Gradle 6.3 distribution is detected:

      ------------------------------------------------------------------------
      $ bash gradlew --version
      Deleting directory /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/
        8tpu6egwsccjzp10c1jckl0rx/gradle-6.3
      Verification of Gradle distribution failed!

      Your Gradle distribution may have been tampered with.
      Confirm that the 'distributionSha256Sum' property in your gradle-wrapper.properties
        file is correct and you are downloading the wrapper from a trusted source.

       Distribution Url: https://services.gradle.org/distributions/gradle-6.3-bin.zip
      Download Location: /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/8tpu6egwsccjzp10c1jckl0rx/gradle-6.3-bin.zip
      Expected checksum: '038794feef1f4745c6347107b6726279d1c824f3fc634b60f86ace1e9fbd1768'
        Actual checksum: '74a13e00995b49b2e7b1888818c24cd79f333dc12b21e07952796fc8b18e070f'
      ------------------------------------------------------------------------

      ACTUAL RESULT

      A tampered Gradle 6.3 distribution is not detected:

      ------------------------------------------------------------------------
      $ bash gradlew --version
      Deleting directory /home/ubuntu/.gradle/wrapper/dists/gradle-6.3-bin/
        8tpu6egwsccjzp10c1jckl0rx/gradle-6.3

      ------------------------------------------------------------
      Gradle 6.3
      ------------------------------------------------------------

      Build time: 2020-03-24 19:52:07 UTC
      Revision: bacd40b727b0130eeac8855ae3f9fd9a0b207c60

      Kotlin: 1.3.70
      Groovy: 2.5.10
      Ant: Apache Ant(TM) version 1.10.7 compiled on September 1 2019
      JVM: 11.0.10 (Ubuntu 11.0.10+9-Ubuntu-0ubuntu1.20.04)
      OS: Linux 5.4.0-65-generic amd64
      ------------------------------------------------------------------------

      SOURCE CODE FOR AN EXECUTABLE TEST CASE

      None.

      WORKAROUND

      To work around the problem, you could download the Gradle 6.3 distribution, verify its checksum manually, and use that instead of the Gradle Wrapper.

      You could also manually verify the distribution archive that was downloaded by the Gradle Wrapper, but that may be after it has already extracted and run the distribution.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              jgneff John Neffenger
              Reporter:
              jgneff John Neffenger
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: