[Security] Repository is vulnerable to MavenGate

https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/

Gradle task 
```bash
./gradlew --write-verification-metadata pgp,sha256 --export-keys
```
did not find a pgp public key in a remote repository or the artifact is not signed.

```xml
 <component group="com.github.topjohnwu.libsu" name="core" version="5.2.2">
         <artifact name="core-5.2.2.aar">
            <sha256 value="0a2e3354654a57e039143c9820594762a5681a935480156d3457f6f029e771ad" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
         <artifact name="core-5.2.2.module">
            <sha256 value="60abe233894cbbe5c6de6fc99f8cc2a9923d5469c06335ac5a4b30ec086a529a" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
      </component>
```

A fix is to:
1. Start signing all artifacts, if not signed yet
2. Upload a public pgp key used for signing artifacts to multiple public pgp repositories: https://keys.openpgp.org | https://pgp.mit.edu | https://keyserver.ubuntu.com/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Security] Repository is vulnerable to MavenGate #176

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[Security] Repository is vulnerable to MavenGate #176

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions