• This repository has been archived on 13/Feb/2022
  • Stars
    star
    229
  • Rank 174,666 (Top 4 %)
  • Language
    Groovy
  • License
    MIT License
  • Created over 10 years ago
  • Updated over 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A gradle plugin that enables static verification for remote dependencies.

Gradle Witness

A gradle plugin that enables static verification for remote dependencies.

Build systems like gradle and maven allow one to specify dependencies for versioned artifacts. An Android project might list dependencies like this:

dependency {
    compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
    compile 'com.android.support:support-v4:19.0.1'
    compile 'com.google.android.gcm:gcm-client:1.0.2'
    compile 'se.emilsjolander:stickylistheaders:2.2.0'
}

This allows the sample Android project to very easily make use of versioned third party libraries like ActionBarSherlock, or StickyListHeaders. During the build process, gradle will automatically retrieve the libraries from the configured maven repositories and incorporate them into the build. This makes it easy to manage dependencies without having to check jars into a project's source tree.

Dependency Problems

A "published" maven/gradle artifact looks like this:

gson-2.2.4.jar
gson-2.2.4.jar.md5
gson-2.2.4.jar.sha1
gson-2.2.4.pom
gson-2.2.4.pom.md5
gson-2.2.4.pom.sha1

In the remote directory, the artifact consists of a POM file and a jar or aar, along with md5sum and sha1sum hash values for those files.

When gradle retrieves the artifact, it will also retrieve the md5sum and sha1sums to verify that they match the calculated md5sum and sha1sum of the retrieved files. The problem, obviously, is that if someone is able to compromise the remote maven repository and change the jar/aar for a dependency to include some malicious functionality, they could just as easily change the md5sum and sha1sum values the repository advertises as well.

The Witness Solution

This gradle plugin simply allows the author of a project to statically specify the sha256sum of the dependencies that it uses. For our dependency example above, gradle-witness would allow the project to specify:

dependency {
    compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
    compile 'com.android.support:support-v4:19.0.1'
    compile 'com.google.android.gcm:gcm-client:1.0.2'
    compile 'se.emilsjolander:stickylistheaders:2.2.0'
}

dependencyVerification {
    verify = [
            'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819',
            'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585',
            'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca',
            'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6',
    ]
}

The dependency definition is the same, but gradle-witness allows one to also specify a dependencyVerification definition as well. That definition should include a single list called verify with elements in the format of group_id:name:sha256sum.

At this point, running gradle build will first verify that all of the listed dependencies have the specified sha256sums. If there's a mismatch, the build is aborted. If the remote repository is later compromised, an attacker won't be able to undetectably modify these artifacts.

Using Witness

Unfortunately, it doesn't make sense to publish gradle-witness as an artifact, since that creates a bootstrapping problem. To use gradle-witness, the jar needs to be built and included in your project:

$ git clone https://github.com/WhisperSystems/gradle-witness.git
$ cd gradle-witness
$ gradle build
$ cp build/libs/gradle-witness.jar /path/to/your/project/libs/gradle-witness.jar

Then in your project's build.gradle, the buildscript needs to add a gradle-witness dependency. It might look something like:

buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:0.9.+'
        classpath files('libs/gradle-witness.jar')
    }
}

apply plugin: 'witness'

At this point you can use gradle-witness in your project. If you're feeling "trusting on first use," you can have gradle-witness calculate the sha256sum for all your project's dependencies (and transitive dependencies!) for you:

$ gradle -q calculateChecksums

This will print the full dependencyVerification definition to include in the project's build.gradle. For a project that has a dependency definition like:

dependency {
    compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
    compile 'com.android.support:support-v4:19.0.1'
    compile 'com.google.android.gcm:gcm-client:1.0.2'
    compile 'se.emilsjolander:stickylistheaders:2.2.0'
}

Running gradle -q calculateChecksums will print:

dependencyVerification {
    verify = [
            'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819',
            'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585',
            'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca',
            'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6',
    ]
}

...which you can then include directly below the dependency definition in the project's build.gradle.

And that's it! From then on, running a standard gradle build will verify the integrity of the project's dependencies.

More Repositories

1

Signal-Android

A private messenger for Android.
Kotlin
25,358
star
2

Signal-Desktop

A private messenger for Windows, macOS, and Linux.
TypeScript
14,441
star
3

Signal-iOS

A private messenger for iOS.
Swift
10,703
star
4

Signal-Server

Server supporting the Signal Private Messenger applications on Android, Desktop, and iOS
Java
9,071
star
5

libsignal

Home to the Signal Protocol as well as other cryptographic primitives which make Signal possible.
Rust
3,345
star
6

libsignal-protocol-javascript

This library is no longer maintained. libsignal-protocol-javascript was an implementation of the Signal Protocol, written in JavaScript. It has been replaced by libsignal-client’s typesafe TypeScript API.
JavaScript
1,954
star
7

libsignal-protocol-java

Java
1,823
star
8

libsignal-protocol-c

C
1,404
star
9

BitHub

BTC + BitHub = An experiment in funding privacy OSS.
Java
997
star
10

Signal-TLS-Proxy

Shell
830
star
11

libsignal-service-java

A Java/Android library for communicating with the Signal messaging service.
Java
584
star
12

ringrtc

Rust
538
star
13

Signal-Calling-Service

Forwards media from 1 group call device to N group call devices.
Rust
412
star
14

Flock

Private contact and calendar sync for Android.
Java
358
star
15

ContactDiscoveryService

C
279
star
16

SecureValueRecovery

Rust
274
star
17

curve25519-java

Pure Java and JNI backed Curve25519 implementation.
C
230
star
18

SignalProtocolKit

This library is no longer maintained. SignalProtocolKit was an implementation of the Signal Protocol, written in Objective-C. It has been replaced by libsignal-client’s type safe Swift API.
Objective-C
213
star
19

webrtc

C++
140
star
20

PushServer

A microservice for communicating with push gateways.
Java
115
star
21

WhisperYAFFS

Encrypted Filesystem Support For YAFFS2
C
104
star
22

jobmanager

Android library for executing tasks.
Java
103
star
23

WebSocket-Resources

A Dropwizard library that lets you use Jersey-style Resources over WebSockets
Java
91
star
24

better-sqlite3

C++
76
star
25

SignalServiceKit

SignalServiceKit has moved to Signal-iOS. See README.md for details.
Objective-C
68
star
26

libwebrtc-android

Android WebRTC Packages
Java
60
star
27

Signal-Pods

Pods dependency tracker for Signal-iOS
C
57
star
28

signal-ringrtc-node

TypeScript
50
star
29

gcm-sender-async

Asynchronous Google Cloud Messaging (GCM) Library
Java
48
star
30

zkgroup

41
star
31

curve25519-dalek

Rust
37
star
32

SecureValueRecovery2

C++
37
star
33

libsignal-protocol-rust

Rust
37
star
34

Argon2

Java
36
star
35

Signal-Design

A place to archive design assets used by Signal.
35
star
36

SignalCoreKit

Swift
34
star
37

storage-service

Java
34
star
38

signal-webrtc-ios

Python
33
star
39

Signal-FTS5-Extension

A FTS5 extension for signal_tokenizer.
Rust
32
star
40

ContactDiscoveryService-Icelake

C
31
star
41

maven

27
star
42

libpastelog

Java
27
star
43

tus-server

An implementation of the TUS server protocol for resumable uploads
TypeScript
25
star
44

Mock-Signal-Server

TypeScript
24
star
45

registration-service

Registration Service for Signal
Java
23
star
46

dropwizard-simpleauth

Dropwizard library for simple @Auth annotations that support multiple types
Java
22
star
47

CLAServer

GitHub Integration for managing CLA signatures
Java
22
star
48

mio

Rust
20
star
49

AES-GCM-Provider

A BoringSSL-backed AES-GCM provider for Android with support for "incremental" encryption/decryption
Java
20
star
50

libaxolotl-j2me

Axolotl J2ME
Java
17
star
51

Signal-Art-Creator

Sticker Pack Creator Web App
TypeScript
17
star
52

signal-webrtc-ios-artifacts

Objective-C
17
star
53

SQLCipherVsSharedData

Demo Project to demonstrate a bug in SQLCipher
Objective-C
15
star
54

dropwizard-wavefront

Dropwizard Metrics Reporter For Wavefront
Java
14
star
55

sgx_common

Rust
14
star
56

emoji-search-index

Static assets used for to generate a search index for emoji within Signal.
12
star
57

Signal-Carthage

Objective-C
12
star
58

SignalMetadataKit

Swift
12
star
59

libmobilecoin-ios-artifacts

Swift
12
star
60

libsignal-client-node

11
star
61

redis-dispatch

Java
11
star
62

sqlcipher

C
11
star
63

libsignal-metadata-java

Java
11
star
64

mp4san

A Rust MP4 format sanitizer
Rust
10
star
65

poksho

9
star
66

AccountStream

Java
8
star
67

signal-zkgroup-node

TypeScript
8
star
68

s3-upload-maven-plugin

Maven plugin to upload files to s3
Java
7
star
69

jekyll-simple-i18n

Ruby
7
star
70

HsmEnclave

HSM-backed remote-attestable enclave.
C
5
star
71

sqlcipher-android

A light fork of https://github.com/sqlcipher/sqlcipher-android
C
5
star
72

storage-manager

Manage objects inside a cdn
TypeScript
5
star
73

libsignal-ffi

Rust
4
star
74

partial-default

Provides PartialDefault, a Rust trait similar to Default but with fewer guarantees
Rust
4
star
75

signal-zkgroup-swift

Swift
4
star
76

libsignal-protocol-swift

Swift
2
star
77

Signal-Message-Backup-Tests

Signal Message Backup shared client integration test cases
Rust
2
star
78

libmobilecoin-apple-artifacts

C
2
star
79

Signal-Sqlcipher-Extension

A sqlcipher extension for crypto provider.
Rust
1
star