purge gradle-witness until it is compatible with 'implementation'

https://github.com/signalapp/gradle-witness/issues/27
2018-04-23 12:28:57 +02:00 · 2018-04-23 12:28:57 +02:00 · 40fdccf262
commit 40fdccf262
parent 518537f23a
9 changed files with 0 additions and 281 deletions
--- a/app/build.gradle
+++ b/app/build.gradle
@ -1,5 +1,4 @@
 apply plugin: 'com.android.application'
 apply plugin: 'witness'
 apply plugin: 'checkstyle'
 apply plugin: 'pmd'
@ -58,58 +57,6 @@ dependencies {
    androidTestImplementation 'com.android.support.test:rules:0.5'
 }
 // generate using: `gradle -q calculateChecksums | sort -V`
 dependencyVerification {
    verify = [
            'android.arch.core:common:d34824b794bc92ff8f647a9bb13a7c73de920de5b47075b5d2c4f0770e9b8bfd',
            'android.arch.core:runtime:83400f7575bcfb8a2eeec64e05590f037bfaed1e56aa3a4214d20e55878445e3',
            'android.arch.lifecycle:common:614e31cfd33255dc4d5f5d8e62cfa6be2fbbc2a35643a79dc3ed008004c30807',
            'android.arch.lifecycle:livedata-core:14e57ff8ffb65a80c7e72d91f2076acccdaf2970f234c6261e03a6127eb5206b',
            'android.arch.lifecycle:runtime:094fd793924dd6a5136753e599ac8174a8147f4a401386b694ba7d818c223e2e',
            'android.arch.lifecycle:viewmodel:6407c93a5ea9850661dca42a0068d6f3deccefd7228ee69bae1c35d70cbc2557',
            'cc.mvdan.accesspoint:library:0837b38adb48b66bb1385adb6ade8ecce7002ad815c55abf13517c82193458ea',
            'ch.acra:acra:d2762968c448757a7d6acc9f141881d9632f664988e9723ece33b5f7c79f3bc9',
            'commons-io:commons-io:a10418348d234968600ccb1d988efcbbd08716e1d96936ccc1880e7d22513474',
            'commons-net:commons-net:c25b0da668b3c5649f002d504def22d1b4cb30d206f05428d2fe168fa1a901c2',
            'com.android.support.constraint:constraint-layout-solver:fcb4c7d705754ca3d69b1b2c3caf445a425599fda8caabbcf855d98ea0663e4e',
            'com.android.support.constraint:constraint-layout:d490188709b7bb2f11609beadd7e5eb7538892f308828ec3ff261a74e6ecf47e',
            'com.android.support:animated-vector-drawable:59670473f6e98fda792f7bef25dd7292b0a3106031c7a5e30eb020bf26f077bd',
            'com.android.support:appcompat-v7:0c7808fbbc5838d831e32e3c0a6f84e1f2c981deb8f11e010650f2b57923a335',
            'com.android.support:cardview-v7:8ed955dd037d82a7b4bbcaedb4f896523c3e4c1bf3ca698ce807c350767a2886',
            'com.android.support:design:7225973f7ee03765008a9c2f17a40b154c6885169fef022276e811c926a2202c',
            'com.android.support:gridlayout-v7:2f5af33c4be1d3e4e3fa999323265718ac1a4c81df4c0373d6ce8901613b1671',
            'com.android.support:palette-v7:6d24037fb375c7884f878edeb88c812b87a05c69221513507ecea21c257d6314',
            'com.android.support:preference-v7:a1798a826b4097d00e49280f412b21af08f9bf1179c2e3838dc339d9f843416d',
            'com.android.support:recyclerview-v7:d735e4727878e99ef3980c10d15dc3468462fd509d4fb60cb8bd20b0f735085c',
            'com.android.support:support-annotations:3365960206c3d2b09e845f555e7f88f8effc8d2f00b369e66c4be384029299cf',
            'com.android.support:support-compat:880ce01ff5be42b233ff8ec0c61cefb7dc3dc9500fea9e24423214813ac27ea2',
            'com.android.support:support-core-ui:a3ae20e6d5dffba69ac97b99846d2738003af8563843d5f3c9dc4c35b4804241',
            'com.android.support:support-core-utils:61036832c54e8701aae954fc3bf96d1d80bf8d9dd531bff77d72def456ba087a',
            'com.android.support:support-fragment:ec72d6ac36a1a0e6523bbddba33d73ffad070b9b3dd246cc44d8727a41ddb5e6',
            'com.android.support:support-media-compat:55e9837dda88b74a8c812c63a78c63fd83c6c039a8c22d318492663a493585eb',
            'com.android.support:support-v4:4f41dfc3e89f2738e45c86264a85c0934d055ee8ebe2020e23c97f303b80a48b',
            'com.android.support:support-vector-drawable:1c0f421114cf4627cf208776d6eb4f76340c78b7e96fe6e12b3e6eb950caf1b9',
            'com.android.support:transition:c0765b2f3c78696567ec5b3f519d22da1e3df11ac994625adf4bb4dc571caacc',
            'com.ashokvarma.android:bottom-navigation-bar:f18d740e1777927ad761349298b5d4981cd9f6d2abe70f505abf415ae069baaa',
            'com.fasterxml.jackson.core:jackson-annotations:6b7802f6c22c09c4a92a2ebeb76e755c3c0a58dfbf419835fae470d89e469b86',
            'com.fasterxml.jackson.core:jackson-core:256ff34118ab292d1b4f3ee4d2c3e5e5f0f609d8e07c57e8ad1f51c46d4fbb46',
            'com.fasterxml.jackson.core:jackson-databind:4f74337b6d18664be0f5b15c6664b17aa3972c9c175092328b139b894ff66f19',
            'com.google.zxing:core:52dd6211bbaf4e600de693834d597e49707f3e6606e1f5d3740fbb8274466abe',
            'com.hannesdorfmann:adapterdelegates3:1b20d099d6e7afe57aceca13b713b386959d94a247c3c06a7aeb65b866ece02f',
            'com.nostra13.universalimageloader:universal-image-loader:dbd5197ffec3a8317533190870a7c00ff3750dd6a31241448c6a5522d51b65b4',
            'eu.chainfire:libsuperuser:018344ff19ee94d252c14b4a503ee8b519184db473a5af83513f5837c413b128',
            'info.guardianproject.netcipher:netcipher:eeeb5d0d95ccfe176b4296cbd71a9a24c6efb0bab5c4025a8c6bc36abdddfc75',
            'info.guardianproject.panic:panic:a7ed9439826db2e9901649892cf9afbe76f00991b768d8f4c26332d7c9406cb2',
            'io.reactivex:rxandroid:35c1a90f8c1f499db3c1f3d608e1f191ac8afddb10c02dd91ef04c03a0a4bcda',
            'io.reactivex:rxjava:2c162afd78eba217cdfee78b60e85d3bfb667db61e12bc95e3cf2ddc5beeadf6',
            'org.bouncycastle:bcpkix-jdk15on:601d85cfbcef76a1cb77cbf755a6234a4ba1d4c02a98d9a81028d471f388694f',
            'org.bouncycastle:bcprov-jdk15on:1c31e44e331d25e46d293b3e8ee2d07028a67db011e74cb2443285aed1d59c85',
            'org.jmdns:jmdns:24e7e3a50a579136400e8c9b0750399eb3c7558918bdf52c0ffa5e0fa5aad503',
            'org.nanohttpd:nanohttpd:de864c47818157141a24c9acb36df0c47d7bf15b7ff48c90610f3eb4e5df0e58',
            'org.slf4j:slf4j-api:e56288031f5e60652c06e7bb6e9fa410a61231ab54890f7b708fc6adc4107c5b',
    ]
 }
 def isCi = "true".equals(System.getenv("CI"))
 def preDexEnabled = "true".equals(System.getProperty("pre-dex", "true"))
--- a/build.gradle
+++ b/build.gradle
@ -11,7 +11,6 @@ buildscript {
    }
    dependencies {
        classpath 'com.android.tools.build:gradle:3.1.1'
        classpath files('libs/gradle-witness.jar')
    }
 }
 allprojects {
--- a/extern/gradle-witness/LICENSE
+++ b/extern/gradle-witness/LICENSE
@ -1,19 +0,0 @@
 Copyright (c) 2014 Open Whisper Systems 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in
 all copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
--- a/extern/gradle-witness/README.md
+++ b/extern/gradle-witness/README.md
@ -1,127 +0,0 @@
 # Gradle Witness
 A gradle plugin that enables static verification for remote dependencies.
 Build systems like gradle and maven allow one to specify dependencies for versioned artifacts. An
 Android project might list dependencies like this:
    dependency {
        compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
        compile 'com.android.support:support-v4:19.0.1'
        compile 'com.google.android.gcm:gcm-client:1.0.2'
        compile 'se.emilsjolander:stickylistheaders:2.2.0'
    }
 This allows the sample Android project to very easily make use of versioned third party libraries like
 [ActionBarSherlock](http://actionbarsherlock.com/), or [StickyListHeaders](https://github.com/emilsjolander/StickyListHeaders).
 During the build process, gradle will automatically retrieve the libraries from the configured
 maven repositories and incorporate them into the build.  This makes it easy to manage dependencies
 without having to check jars into a project's source tree.
 ## Dependency Problems
 A "published" maven/gradle artifact [looks like this](https://github.com/WhisperSystems/maven/tree/master/gson/releases/org/whispersystems/gson/2.2.4):
    gson-2.2.4.jar
    gson-2.2.4.jar.md5
    gson-2.2.4.jar.sha1
    gson-2.2.4.pom
    gson-2.2.4.pom.md5
    gson-2.2.4.pom.sha1
 In the remote directory, the artifact consists of a POM file and a jar or aar, along with md5sum and
 sha1sum hash values for those files.
 When gradle retrieves the artifact, it will also retrieve the md5sum and sha1sums to verify that
 they match the calculated md5sum and sha1sum of the retrieved files.  The problem, obviously, is 
 that if someone is able to compromise the remote maven repository and change the jar/aar for a 
 dependency to include some malicious functionality, they could just as easily change the md5sum
 and sha1sum values the repository advertises as well.
 ## The Witness Solution
 This gradle plugin simply allows the author of a project to statically specify the sha256sum of
 the dependencies that it uses.  For our dependency example above, `gradle-witness` would allow
 the project to specify:
    dependency {
        compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
        compile 'com.android.support:support-v4:19.0.1'
        compile 'com.google.android.gcm:gcm-client:1.0.2'
        compile 'se.emilsjolander:stickylistheaders:2.2.0'
    }
    dependencyVerification {
        verify = [
                'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819',
                'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585',
                'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca',
                'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6',
        ]
    }
 The `dependency` definition is the same, but `gradle-witness` allows one to also specify a
 `dependencyVerification` definition as well.  That definition should include a single list called
 `verify` with elements in the format of `group_id:name:sha256sum`.
 At this point, running `gradle build` will first verify that all of the listed dependencies have
 the specified sha256sums.  If there's a mismatch, the build is aborted.  If the remote repository
 is later compromised, an attacker won't be able to undetectably modify these artifacts.
 ## Using Witness
 Unfortunately, it doesn't make sense to publish `gradle-witness` as an artifact, since that
 creates a bootstrapping problem.  To use `gradle-witness`, the jar needs to be built and included
 in your project:
    $ git clone https://github.com/WhisperSystems/gradle-witness.git
    $ cd gradle-witness
    $ gradle build
    $ cp build/libs/gradle-witness.jar /path/to/your/project/libs/gradle-witness.jar
 Then in your project's `build.gradle`, the buildscript needs to add a `gradle-witness` dependency.
 It might look something like:
    buildscript {
        repositories {
            mavenCentral()
        }
        dependencies {
            classpath 'com.android.tools.build:gradle:0.9.+'
            classpath files('libs/gradle-witness.jar')
        }
    }
    apply plugin: 'witness'
 At this point you can use `gradle-witness` in your project.  If you're feeling "trusting on first
 use," you can have `gradle-witness` calculate the sha256sum for all your project's dependencies
 (and transitive dependencies!) for you:
    $ gradle -q calculateChecksums
 This will print the full `dependencyVerification` definition to include in the project's `build.gradle`.
 For a project that has a dependency definition like:
    dependency {
        compile 'com.actionbarsherlock:actionbarsherlock:4.4.0@aar'
        compile 'com.android.support:support-v4:19.0.1'
        compile 'com.google.android.gcm:gcm-client:1.0.2'
        compile 'se.emilsjolander:stickylistheaders:2.2.0'
    }
 Running `gradle -q calculateChecksums` will print:
    dependencyVerification {
        verify = [
                'com.actionbarsherlock:actionbarsherlock:5ab04d74101f70024b222e3ff9c87bee151ec43331b4a2134b6cc08cf8565819',
                'com.android.support:support-v4:a4268abd6370c3fd3f94d2a7f9e6e755f5ddd62450cf8bbc62ba789e1274d585',
                'com.google.android.gcm:gcm-client:5ff578202f93dcba1c210d015deb4241c7cdad9b7867bd1b32e0a5f4c16986ca',
                'se.emilsjolander:stickylistheaders:89146b46c96fea0e40200474a2625cda10fe94891e4128f53cdb42375091b9b6',
        ]
    }
 ...which you can then include directly below the `dependency` definition in the project's `build.gradle`.
 And that's it! From then on, running a standard `gradle build` will verify the integrity of
 the project's dependencies.
--- a/extern/gradle-witness/build.gradle
+++ b/extern/gradle-witness/build.gradle
@ -1,10 +0,0 @@
 apply plugin: 'groovy'
 dependencies {
    compile gradleApi()
    compile localGroovy()
 }
 sourceCompatibility = '1.7'
 targetCompatibility = '1.7'
--- a/extern/gradle-witness/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy
+++ b/extern/gradle-witness/src/main/groovy/org/whispersystems/witness/WitnessPlugin.groovy
@ -1,64 +0,0 @@
 package org.whispersystems.witness
 import org.gradle.api.InvalidUserDataException
 import org.gradle.api.Plugin
 import org.gradle.api.Project
 import org.gradle.api.artifacts.ResolvedArtifact
 import java.security.MessageDigest
 class WitnessPluginExtension {
    List verify
 }
 class WitnessPlugin implements Plugin<Project> {
    static String calculateSha256(file) {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        file.eachByte 4096, {bytes, size ->
            md.update(bytes, 0, size);
        }
        return md.digest().collect {String.format "%02x", it}.join();
    }
    void apply(Project project) {
        project.extensions.create("dependencyVerification", WitnessPluginExtension)
        project.afterEvaluate {
            project.dependencyVerification.verify.each {
                assertion ->
                    List  parts  = assertion.tokenize(":")
                    String group = parts.get(0)
                    String name  = parts.get(1)
                    String hash  = parts.get(2)
                    ResolvedArtifact dependency = project.configurations.compile.resolvedConfiguration.resolvedArtifacts.find {
                        return it.name.equals(name) && it.moduleVersion.id.group.equals(group)
                    }
                    println "Verifying " + group + ":" + name
                    if (dependency == null) {
                        throw new InvalidUserDataException("No dependency for integrity assertion found: " + group + ":" + name)
                    }
                    if (!hash.equals(calculateSha256(dependency.file))) {
                        throw new InvalidUserDataException("Checksum failed for " + assertion)
                    }
            }
        }
        project.task('calculateChecksums') << {
            println "dependencyVerification {"
            println "    verify = ["
            project.configurations.compile.resolvedConfiguration.resolvedArtifacts.each {
                dep ->
                    println "        '" + dep.moduleVersion.id.group+ ":" + dep.name + ":" + calculateSha256(dep.file) + "',"
            }
            println "    ]"
            println "}"
        }
    }
 }
--- a/extern/gradle-witness/src/main/resources/META-INF/gradle-plugins/witness.properties
+++ b/extern/gradle-witness/src/main/resources/META-INF/gradle-plugins/witness.properties
@ -1 +0,0 @@
 implementation-class=org.whispersystems.witness.WitnessPlugin
--- a/libs/gradle-witness.jar
+++ b/libs/gradle-witness.jar
--- a/libs/gradle-witness.txt
+++ b/libs/gradle-witness.txt
@ -1,6 +0,0 @@
 gradle-witness.jar was obtained by running `gradle build` inside the directory
 extern/gradle-witness/ in this repository. The source code for the groovy
 plugin and its license can be found there.
 We must prebuild a jar for this plugin since gradle plugins can't be used
 directly from source.
		`@ -1 +0,0 @@`
			`implementation-class=org.whispersystems.witness.WitnessPlugin`