Applying distributionSha256Sum to Gradle and Android Studio

1 year ago

Implementing distributionSha256Sum to Gradle and Android Studio

Because I wrote about a Gradle Wrapper offer chain attack
a number of times back, I made a decision to verify back in Android Studio’s aid for
distributionSha256Sum. And the good news is that with Android Studio Electric powered
Eel, it appears to get the job done well… if you know the restrictions.

Essential Set up

In your gradle/wrapper/gradle-wrapper.houses file, there is a
distributionUrl property that suggests what make of Gradle should really be downloaded
and utilised for making your task:

distributionUrl=https://companies.gradle.org/distributions/gradle-7.5-bin.zip

You can include distributionSha256Sum to gradle/wrapper/gradle-wrapper.homes as
very well. You get the price for your goal model of Gradle from the Gradle Website web-site.
So, for case in point, for the Gradle 7.5 binary-only ZIP, you will obtain that the checksum
is cb87f222c5585bd46838ad4db78463a5c5f3d336e5e2b98dc7c0c586527351c2. So the matching
distributionSha256Sum line for the higher than distributionUrl line is:

Related Posts:

distributionSha256Sum=cb87f222c5585bd46838advert4db78463a5c5f3d336e5e2b98dc7c0c586527351c2

This allows reduce a Martian in the middle (MITM) attack that replaces the Gradle
ZIP file with just one that has been modified. If Android Studio or the Gradle Wrapper
JAR file tries downloading the ZIP from distributionUrl, and the resulting
ZIP file does not have a SHA-256 checksum matching distributionSha256Sum,
Android Studio and Gradle will refuse to use it. Android Studio Electric powered Eel
will give you output akin to this in the Develop tool:

Verification of Gradle distribution unsuccessful!

Your Gradle distribution might have been tampered with.
Confirm that the 'distributionSha256Sum' house in your gradle-wrapper.qualities file is accurate and you are downloading the wrapper from a trusted resource.

 Distribution Url: https://expert services.gradle.org/distributions/gradle-7.5-bin.zip
Down load Area: /home/mmurphy/.gradle/wrapper/dists/gradle-7.5-bin/f1w0cc9nuo0eivz97x2xlu9sv/gradle-7.5-bin.zip
Envisioned checksum: '6b47b85e791fa422b9b78bdfab7672dd934ff973d6e781ba98d972e844d91754'
  True checksum: 'cb87f222c5585bd46838advertisement4db78463a5c5f3d336e5e2b98dc7c0c586527351c2'

That similar concept, minus the 1st line, will also be output by the Gradle Wrapper
JAR.

The Restrictions

The big wrinkle with distributionSha256Sum is that it is checked at the issue
of downloading the Gradle version specified in the distributionUrl. If you
presently correctly downloaded that model of Gradle prior to — this sort of as by using
a task that lacks distributionSha256Sum — no additional checks are built.
So, it is really straightforward to think that distributionSha256Sum is not working, due to the fact
you increase it to a challenge, set in an invalid checksum benefit to test… and the challenge
even now builds. You want to crystal clear out the now-downloaded Gradle distribution
1st, forcing a new download. These are saved in ~/.gradle/wrapper/dists
on Linux and macOS (and presumably in an equal locale on Windows).
This may be much less of a dilemma for CI systems that use fresh containers on each
develop.

Also:

  • Android Studio templates do not supply distributionSha256Sum, which usually means
    you are screwed suitable out of the box. If you have a new Android Studio variation
    develop a new undertaking which utilizes a new Gradle model, since there is no
    distributionSha256Sum in the produced gradle-wrapper.attributes file,
    there is no checksum check out. And, even if you insert
    distributionSha256Sum on your own manually later,
    you also have to manually distinct out the previously-downloaded
    Gradle to drive a checksum check. Given that the SHA-256 hash is a known worth for the
    linked distributionUrl, it would be pretty helpful if Android Studio’s templates
    integrated it.

  • If you have Android Studio update your gradle-wrapper.houses file to
    point to a new Gradle version, it does not increase distributionSha256Sum if you
    do not have it presently. Similarly, if you have distributionSha256Sum in the
    gradle-wrapper.qualities file already, when Android Studio variations
    distributionUrl, it does
    not transform the affiliated distributionSha256Sum. You will get the error revealed
    earlier mentioned and will have to have to adjust distributionSha256Sum manually.

Those people restrictions will hamper adoption of distributionSha256Sum. On the other hand,
it however feels like a practical defense, for these who are keen to do the job about those people
constraints.