I have a remote repository with an https URL and a self-signed certificate. In Maven I could set MAVEN_OPTS properties to bypass certificate validation. How can I achive this with gradle?
I tried modifying the file gradle.properties but I can’t find the exact properties:
systemProp.http.ssl.insecure=true
systemProp.http.ssl.allowall=true
systemProp.http.ssl.ignore.validity.dates=true
Gradle "Trust All" Plugin
This plugin was born out of necessity for a quick-and-dirty way to use a Maven repository over HTTPS with a self-signed certificate.
When working with such a repository in gradle you may get an error:
Error transferring file: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Usual Java way to handle such scenario would be to download site certificate, import it into a keystore, and use that keystore via the -Djavax.net.ssl.trustStore=... JVM options.
Sometimes, you just need an easier way — disable certificate validation altogether! There are many reasons not to do that, one of them being that this approach makes connections vulnerable to man-in-the-middle attacks.
Consider this code a proof-of-concept and accept full responsibility that by using it you're ultimately making an informed bad decision.
Origin
The code to disable certificate validation comes from this StackOverflow answer, although there are many similar code snippets floating around the web.
Using "Trust All" Plugin
To use gradle-trust-all, build the jar file and include it in your project:
$ git clone https://github.com/arteme/gradle-trust-all.git
$ cd gradle-trust-all
$ gradle build
$ cp build/libs/gradle-trust-all.jar /path/to/your/project/gradle/folder/
Then in your project's build.gradle file add it as a buildscript dependency and activate the plugin:
buildscript {
dependencies {
classpath files('gradle/gradle-trust-all.jar')
}
}
apply plugin: 'trust-all'
That is it. Now certificate validation in gradle is disabled.
https://github.com/arteme/gradle-trust-all
Related
After updating to Gradle 7.3.0 I having this message error :
Using insecure protocols with repositories, without explicit opt-in, is unsupported. Switch Maven repository 'maven4(http://dl.bintray.com/glomadrian/maven)' to redirect to a secure protocol (like HTTPS) or allow insecure protocols. See https://docs.gradle.org/8.0-milestone-1/dsl/org.gradle.api.artifacts.repositories.UrlArtifactReposit... for more details
any suggestions?
so what solve it ,it's just adding -4- to Maven , something like Maven4 instead of just Maven in the app build Gradle Mavens declarations.
I have a simple JAVA application and I like to publish my JAR in maven central repository . On looking through the procedure it is mentioned that my JAR’s need to be signed with PGP signature.
https://maven.apache.org/repository/guide-central-repository-upload.html
Documentation mentioned that to guarantee that they are downloading the original artificat we must sign. If that’s the case is there any way to upload the JAR file in maven central without signing for testing purposes for uploading?
Also, my JAR is signed with code signed certificate. So, I really need this PGP signature? Since, Signing the JAR with certificate itself confirms that it was from trusted source. Do we really need this additional PGP signing? If so can anyone explain this.
I would appreciate if any solution for publishing in maven central without signing. Please advise me in this
Note: using gradle as build tool for publishing the JAR in maven central.
Yes you do. It is necessary as it is their policy.
For a small open source developer the easiest thing to do is probably to register with https://central.sonatype.org/pages/ossrh-guide.html so you can push whenever you want after the initial registration.
Yes. It is a strict requirement. There is no other solution.
It does not matter that you have signed with something else. It must be PGP, and in fact you must distribute/publish the public key into a public key server. Maven Central will need to pull your public key from one of several key servers.
Check this link: https://central.sonatype.org/publish/requirements/gpg/
For the purposes of testing, you can use gradlew publishToMavenLocal, which will "install" your library on your local machine. Normally this repo is at %HOME%\.m2\repository. In this case, you don't need to sign anything. It's quite straightforward, and everything should work as if your library had been uploaded to a centralized repo.
Then, on the project that imports your library for testing, just make sure to include the maven repository mavenLocal() alongside the other centralized repos:
build.gradle
repositories {
mavenLocal()
mavenCentral()
jcenter()
}
There is also the maven repo jcenter to where it might be possible to upload without that pgp signature.
Lastly, I have heard about this private and supposedly free maven repository called repsy https://repsy.io/. I have never tried it, but I imagine you won't need to sign up the artefacts there. Might be useful for testing.
Upon the first attempt to create a maven project using IntelliJ, I'm getting the following error even after importing the .cer file into cacerts.
Could not transfer artifact
org.apache.maven.plugins:maven-clean-plugin:pom:2.5 from/to central
(https://repo.maven.apache.org/maven2): PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
Thanks in advance!!!
You are behind a firewall which wants to inspect what you are doing so they inject themselves in the certification path to be able to do so. This also allows them to rewrite the contents you download on the fly if they want to.
The sole reason to use https instead of http is to detect and avoid this exact scenario.
If you trust the owner of the interfering firewall, add its certificates to the JDK keychain to make programs run with that JDK accept this. Note that the JDK you run Maven with inside IntelliJ may not necessarily be the same as the one used by Maven on the command line.
I'm getting an exception (java.net.ConnectException: Connection refused: connect.) when trying to compile a maven project using the jaxb2 plugin to generate the class by a wsdl provided by a url.
However, I can get this wsdl when get it by a browser.
Any ideas?
Thanks.
While you might be able to resolve the connection issues given the comments above, the error message shows a fundamental problem in your build. If your maven build downloads the WSDL each time it compiles, you don't have repeatable builds, as the WSDL can change each time it's accessed. While it might be convenient to alway load the latest WSDL, I'd recommend downloading the WSDL and add it to your src tree. Then your build will not break, if the WSDL changes. You need to take take, however, to manually update the WSDL if you want to support a newer version.
The instructions on how to setup a proxy in jaxb2: https://github.com/highsource/maven-jaxb2-plugin/wiki/Configuring-Proxies/c32d4e2af4ab9c1fd5b3d67fb559ec32affab745
I just put <useActiveProxyAsHttpproxy>true</useActiveProxyAsHttpproxy> in my configuration tag of plugin.
Also, I prev set the proxy on my maven settings.xml
I had the same error in a java project built with maven and. On compilation the plugin tries to get some sources on the net and my company had set up a proxy. So you have to configure correctly your settings.xml and add
<useActiveProxyAsHttpproxy>true</useActiveProxyAsHttpproxy>
to the configuration tag of the plugin causing the error in the pom.xml
I have a Maven project and added db4o as a dependency using this answer from a previous question. When I compile the project it gives me the following error:
Could not resolve dependencies for
project
org.uca.dss:trenes:jar:1.0-SNAPSHOT:
[...] Failed to read artifact
descriptor for
com.db4o:db4o-full-java5:jar:7.13-SNAPSHOT:
Could not transfer artifact
com.db4o:db4o-full-java5:pom:7.13-SNAPSHOT
from/to source.db4o
(https://source.db4o.com/maven/):
Error transferring file:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification
path to requested target -> [Help 1]
Curiously enough, it only happens in Ubuntu GNU/Linux (tested in two PC's), but not in Windows (using NetBeans 7.0).
I can post the full error (from maven -X output), but I think it does not add much information
Edit 1:
This is what I have in my pom.xml file regarding db4o:
<repository>
<id>source.db4o</id>
<url>https://source.db4o.com/maven/</url>
</repository>
...
<dependency>
<groupId>com.db4o</groupId>
<artifactId>db4o-full-java5</artifactId>
<version>7.13-SNAPSHOT</version>
</dependency>
This looks like a security certificate issue for a secured request which is generally looked up from %JAVA_HOME%\jre\lib\security\cacerts . I am guessing your windows JRE has the entries whereas the ubuntu JRE is lacking them.
By the way this link is a good read on installing certs. You probably want to use the option 1 mentioned there.