We want to thank Marcin Zajączkowski who originally reported this vulnerability to us.
Impact
Users that sign artifacts using the built-in signing plugin with gpg-agent may be affected. If you do not sign your artifacts, you are not affected.
At INFO
and DEBUG
level logging, Gradle prints the full command-line of every executed process. When signing artifacts with gpg, Gradle executes the gpg
or gpg2
command-line tool and passes the passphrase for the private key as an argument. When INFO
and DEBUG
level logging is enabled, Gradle inadvertently logs the passphrase to the build log.
Users signing artifacts with gpg-agent are vulnerable with Gradle 4.5 through Gradle 6.4.x.
Patches
This behavior has been patched in Gradle 6.5.
Workarounds
If you are unable to upgrade, there are a few possible workarounds or mitigations:
- Check that your CI system is masking your passphrase from logs
- Check that your CI system is not using INFO or DEBUG level logging
- Use the default Java implementation of PGP to sign your artifacts instead of gpg-agent
- Fail the build if INFO or DEBUG level logging is used at the same time as signing
Fail the build when signing with INFO or DEBUG level
Groovy DSL:
gradle.taskGraph.whenReady { taskGraph ->
if (taskGraph.allTasks.any { it instanceof Sign }) {
assert gradle.startParameter.logLevel > LogLevel.INFO :
"Signing tasks can't be used with INFO or DEBUG logging"
}
}
Kotlin DSL:
gradle.taskGraph.whenReady {
if (allTasks.any { task -> task is Sign }) {
check(gradle.startParameter.logLevel > LogLevel.INFO) {
"Signing tasks can't be used with INFO or DEBUG logging."
}
}
}
For more information
- For security related issues, please email us at security@gradle.com.
- For non-security related issues, please open an issue on GitHub.
We want to thank Marcin Zajączkowski who originally reported this vulnerability to us.
Impact
Users that sign artifacts using the built-in signing plugin with gpg-agent may be affected. If you do not sign your artifacts, you are not affected.
At
INFO
andDEBUG
level logging, Gradle prints the full command-line of every executed process. When signing artifacts with gpg, Gradle executes thegpg
orgpg2
command-line tool and passes the passphrase for the private key as an argument. WhenINFO
andDEBUG
level logging is enabled, Gradle inadvertently logs the passphrase to the build log.Users signing artifacts with gpg-agent are vulnerable with Gradle 4.5 through Gradle 6.4.x.
Patches
This behavior has been patched in Gradle 6.5.
Workarounds
If you are unable to upgrade, there are a few possible workarounds or mitigations:
Fail the build when signing with INFO or DEBUG level
Groovy DSL:
Kotlin DSL:
For more information