Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
PGP key used for POM cannot be verified
See original GitHub issuehttps://docs.gradle.org/6.2/userguide/dependency_verification.html
build.gradle
plugins {
id 'de.thetaphi.forbiddenapis' version '2.7'
}
wrapper.configure {
gradleVersion = '6.2.1'
}
Execute:
$ ./gradlew --write-verification-metadata pgp,sha256 help
...
A verification file was generated but some problems were discovered:
- some artifacts aren't signed or the signature couldn't be retrieved.
- some signature verification failed. Checksums were generated for those artifacts but you MUST check if there's an actual problem. Look for entries with the following comment: PGP verification failed
gradle/verification-metadata.xml will now have the following entry:
<component group="de.thetaphi" name="forbiddenapis" version="2.7">
...
<artifact name="forbiddenapis-2.7.pom">
<ignored-keys>
<ignored-key id="0186f8b24c5bc02c94a0e0e486f75e83e1ee085f" reason="PGP verification failed"/>
</ignored-keys>
<sha256 value="aab54d67ee6c7e23c8fc98f7477621bac2742991a3ca00c5ee0625ecf0e136fe" origin="Generated by Gradle because PGP signature verification failed!"/>
</artifact>
</component>
Issue Analytics
- State:
- Created 4 years ago
- Comments:6 (4 by maintainers)
Top Results From Across the Web
Verify dependencies using PGP - Branch and Bound
We can use the library authors' public key to verify that the artifact is signed with the corresponding private key. This may sound...
Read more >PGP Desktop - the key remains unverified. | Endpoint Encryption
After importing a (both public & private) key into PGP Desktop, the key is not available to be used for encryption and appears...
Read more >Viewing a PGP signature on a Maven artifact - Stack Overflow
I'd like to manually verify the PGP signature on a Maven artifact from Central, but I don't know where to start.
Read more >Dependency verification: checksum vs PGP - Medium
Gradle 6.2 will be able to verify checksums and signatures of the .pom files. However malicious pom file can't harm much: it does...
Read more >How to use the Apple Product Security PGP Key
As a good security practice, you should validate PGP keys you receive, and not trust keys that cannot be validated.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
FYI, The GPG keservers are sometimes returning errors (Like HTTP error 504, Gateway timeout), maybe Gradle wasn’t able to download it.
Thanks. That’s helpful.