Description
Describe the bug
The android Gradle download (?) doesn’t seem to be verified:
FDroid Bot tells us the following:
gradle/wrapper/gradle-wrapper.properties is missing distributionSha256Sum.
This means that the gradle download is not verified.
We recommend explicitly setting the expected Sha256sum to protect you and your apps if a bad actor gets access to the Gradle servers or manages to MitM your internet connection.
Please note that Android Studio does not currently support this and may or may not crash, but we suggest you try our suggestion anyway to improve the security of yourself and your app.
Here is an example of how to fix this:
#Mon Aug 03 13:45:58 PDT 2020
distributionBase=GRADLE_USER_HOME
distributionPath=wrapper/dists
zipStoreBase=GRADLE_USER_HOME
zipStorePath=wrapper/dists
distributionUrl=https\://services.gradle.org/distributions/gradle-6.1.1-all.zip
distributionSha256Sum=10065868c78f1207afb3a92176f99a37d753a513dff453abb6b5cceda4058cda
Additional context
See this comment on GitLab for more information: https://gitlab.com/fdroid/rfp/-/issues/2011#note_837630418
Next steps:
- Include the proposed fix in the repo (I don‘t know the Android build enough to judge if this has any negative impact).
Metadata
Metadata
Assignees
Type
Projects
Status