我们在中央服务器上运行gradle构建,该服务器缓存依赖项,甚至在项目之间共享它们。
我们担心恶意工作可能会改变对伪造工作的依赖。
有没有一种方法可以使用我们使用的依赖服务器上的本地副本来验证本地副本的哈希?
谢谢!
最佳答案
有一个很好的Gradle插件Gradle Witness可以解决此问题。
When gradle retrieves the artifact, it will also retrieve the md5sum and sha1sums to verify that they match the calculated md5sum and sha1sum of the retrieved files. The problem, obviously, is that if someone is able to compromise the remote maven repository and change the jar/aar for a dependency to include some malicious functionality, they could just as easily change the md5sum and sha1sum values the repository advertises as well
This gradle plugin simply allows the author of a project to statically specify the sha256sum of the dependencies that it uses.
此外,看看有关依赖项真实性的this SO question,它也会引起您的兴趣。
关于java - Gradle缓存与存储库的哈希比较,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50983707/