On 6/4/16 2:54 AM, Russel Winder wrote: > > For those who download and check signatures, SHA1 and MD5 are > unreliable and provide very weak confidence. > > I am not sure what stance Gradle, Maven, and Ant take on signature > checking, do they do any signature checking at all?
The only signature checking I know of in Gradle uses a SHA-256 hash to check the signature of Gradle itself when downloaded by the wrapper jar. I asked about this on the Gradle forum last October and am still waiting for a response: https://discuss.gradle.org/t/jar-validation-via-hashes-or-signatures/12238 I don't think there is any hash checking included in Maven, but I'm generally a Gradle user. WhisperSystems (who make Signal, a secure messaging app for Android) has created the Gradle Witness Plugin which also uses SHA-256: https://github.com/WhisperSystems/gradle-witness bitcoinj (which is used to store private keys that can spend virtual currency) use some custom rules (only SHA-1, unfortunately) for the Maven Enforcer Plugin: https://github.com/gary-rowe/BitcoinjEnforcerRules http://maven.apache.org/enforcer/maven-enforcer-plugin/ (Note: there is some talk on the bitcoinj mailing list about switching to Gradle) It would be great to see Groovy releases publish SHA-256 hashes that can be checked with the Gradle Witness Plugin (or perhaps upgraded SHA-256 rules for Maven enforcer) -- Sean
0xD897D2E8.asc
Description: application/pgp-keys
