サプライチェーン攻撃に備える

by RyuNen344

Slide 1

Slide 1 text

αϓϥΠνΣʔϯ߈ܸʹඋ͑Δ

Slide 2

Slide 2 text

Today's GOAL 1. ۀքͱͯ͠ͷऔΓ૊ΈΛ஌Δ 2. αϓϥΠνΣʔϯ߈ܸͷରࡦͷجຊΛ஌Δ 3. GradleͰରࡦ͢ΔࡍͷϙΠϯτΛ஌Δ

Slide 3

Slide 3 text

⚠ Attention

Slide 4

Slide 4 text

⚠ Attention

Slide 5

Slide 5 text

• About Supply Chain Attack • Supply Chain Attack Case Studies and Industry Response • Fundamental Prevention and Mitigation Strategies • How Gradle Veri fi es Artifacts • Let's Do Veri fi cation Outline

Slide 6

Slide 6 text

About Supply Chain Attack

Slide 7

Slide 7 text

About Supply Chain Attack

Slide 8

Slide 8 text

Supply Chain Attack Case Studies • ࣮ྫ঺հ • Poly fi ll.io • CDNܦ༝ͰόοΫυΞͷ͋Δίʔυ͕഑෍͞ΕΔΑ͏ʹͳͬͨ • XZ Utils • ੬ऑੑͷ͋ΔίʔυΛϝϯςφʔʹ৴པͤͯࠞ͞ೖͤͨ͞ • Log4Shell • ϥΠϒϥϦʹ͋Δ੬ऑੑΛར༻ͯ͠ϦϞʔτίʔυΛ࣮ߦͰ͖ͯ͠·͏ • https://blog.gradle.org/log4j-vulnerability

Slide 9

Slide 9 text

Gradle Wrapper Attack • MinecraftOnlineͷҰ෦ͷϦϙδτϦͰൃݟ • Discordͷೝূ৘ใࡡऔ • ೚ҙίʔυ࣮ߦ • jarϑΝΠϧͷsha256 checksum͕Ұக͠ͳ͍͜ͱ͔Β൑໌ ❌ 8449b6955690ec956c8ecfe1ae01e10a2aa76ddf18969985c070e345605acce1 ❌ 8e129181710bdc045423ddde59244586d7acbc0b2c5e2ddfc098559da559cf85

Slide 10

Slide 10 text

Suddenly... ීஈαϓϥΠνΣʔϯ߈ܸΛҙࣝͯ͠·͔͢ʁ🖐

Slide 11

Slide 11 text

SLSA(Supply chain Levels for Software Artifacts) • Ϩϕϧ෼͚͞ΕͨαϓϥΠνΣʔϯηΩϡϦςΟͷΨΠυϥΠϯ • Google ͷࣾ಺ϑϨʔϜϫʔΫ͕ݩͱͳͬͯఏএ͞Εͨ • v1.0Ͱ͸ιʔε؅ཧʹ͸৮ΕͣϏϧυϑΣʔζʹϑΥʔΧε • L1: Exists Provenance • L2: Signed Provenance, Hosted Builder • L3: Signed Provenance, Isolated Builder • Veri fi able Provenanceͱ׬શʹಠཱͨ͠Ϗϧυ؀ڥΛߏங͢Δ͜ͱͰϏϧυͷ׬શੑΛ୲ อ͢Δ

Slide 12

Slide 12 text

SLSA(Supply chain Levels for Software Artifacts)

Slide 13

Slide 13 text

SLSA(Supply chain Levels for Software Artifacts)

Slide 14

Slide 14 text

SBOM(Software Bill of Materials) ͜ͷϘλϯΛΈͨ͜ͱ͋Δํ͍·͔͢ʁ🖐

Slide 15

Slide 15 text

SBOM(Software Bill of Materials) • ϥΠηϯεɺόʔδϣϯɺґଘؔ܎͕هࡌ͞ΕΔ • ͍͔ͭ͘ϑΥʔϚοτ͕͋Δ • SPDX(Software Package Data Exchange), OWASP CycloneDX, SWID Tags(Software Identi fi cation Tags)ͳͲ • GitHubͷSBOM΍JetBrains/KotlinܥͰ͸SPDXܗࣜͷSBOMఏڙͯ͠ ͍Δ

Slide 16

Slide 16 text

SBOM(Software Bill of Materials)

Slide 17

Slide 17 text

SBOM(Software Bill of Materials)

Slide 18

Slide 18 text

To sum up • ৴པͰ͖ΔartifactΛऔಘͰ͖ΔΑ͏ʹ͢Δ → ૉੑΛ࢒͢ → վ᜵Λݕ஌͢Δ

Slide 19

Slide 19 text

Why More Careful for App Development?

Slide 20

Slide 20 text

To sum up 2 • ৴པͰ͖ΔartifactΛऔಘͰ͖ΔΑ͏ʹ͢Δ → ૉੑΛ࢒͢ → վ᜵Λݕ஌͢Δ • 🆕 ґଘؔ܎ͷఆৗతͳ؂ࢹͱܧଓతͳߋ৽ • 🆕 ੬ऑੑͷ͋ΔΞϓϦΛࢭΊΔ࢓૊Έ

Slide 21

Slide 21 text

Veri fi cation of Gradle

Slide 22

Slide 22 text

Veri fi cation of Gradle

Slide 23

Slide 23 text

How Veri fi es Gradle Wrapper • Gradle Wrapper͸Gradle distributionΛ؅ཧ͢Δ΋ͷ • gradlew, gradlew.bat, gradle-wrapper.properties, gradle-wrapper.jar ͕ηοτ • ݕূର৅ • gradle-wrapper.jar • Gradle Distribution

Slide 24

Slide 24 text

How Veri fi es Gradle Wrapper Jar • release-checksums(https://gradle.org/release-checksums/)΋͘͠͸ serviceαΠτ(https://services.gradle.org/distributions/)Ͱެ։͞Εͯ ͍Δchecksumͱ߹க͍ͯ͠Δ͔νΣοΫ͢Δ

Slide 25

Slide 25 text

How Veri fi es Gradle Distribution • release-checksums΋͘͠͸serviceαΠτͰެ։͞Ε͍ͯΔ checksumͱ߹க͍ͯ͠Δ͔νΣοΫ͢Δ • gradle-wrapper.propertiesʹchecksumݕূઃఆΛ௥Ճ͢Δ • Gradle Wrapper͕distributionΛμ΢ϯϩʔυ͢ΔࡍʹchecksumΛ ݕূ͢ΔΑ͏ʹͳΔ

Slide 26

Slide 26 text

How Gradle Veri fi es Artifacts

Slide 27

Slide 27 text

How Gradle Veri fi es Artifacts

Slide 28

Slide 28 text

How Gradle Veri fi es Artifacts

Slide 29

Slide 29 text

How Gradle Veri fi es Artifacts

Slide 30

Slide 30 text

How Veri fi es Checksum • શͯͷartifactsʹରͯ͠checksumݕূΛߦ͏ • jar, aar, zip etc... • pom.xml, ivy.xml, .module(gradle module metadata) • metadataݕূ΋ߦ͏৔߹ • metadataͷchecksumݕূ΋߹֨͠ͳ͍ͱNG • pom.xml, ivy.xmlͱgradle module metadata͕྆ํଘࡏ͍ͯ͠Δ৔߹͸gradle module metadata͕༏ઌ͞ΕΔ͜ͱ͕ଟ͍

Slide 31

Slide 31 text

How Veri fi es Checksum • ⚠ checksum͕සൟʹมΘΔͨΊSNAPSHOTϦϦʔεͱMavenLocal ʹϦϦʔε͞Ε͍ͯΔartifacts͸ݕূ͠ͳ͍ • ⚠ MD5, SHA1, SHA-256, SHA-512Λαϙʔτ͍ͯ͠Δ • ⚠ metadataͷchecksum͸ެ։͞Ε͍ͯͳ͍͜ͱ͕ଟ͍ͨΊෆศ

Slide 32

Slide 32 text

How Veri fi es Signature • ascϑΝΠϧΛμ΢ϯϩʔυ • ඞཁͳެ։伴Λࣗಈతʹμ΢ϯϩʔυ • ެ։伴Ͱݕূޙɺ߹֨ͨ͠৔߹͸checksumݕূΛߦ͏ • ascϑΝΠϧ͕ͳ͍৔߹͸checksumݕূʹϑΥʔϧόοΫ

Slide 33

Slide 33 text

About PGP(Pretty Good Privacy) with Gradle

Slide 34

Slide 34 text

About PGP(Pretty Good Privacy) with Gradle • σϑΥϧτͰ͸όʔδϣϯ͝ͱʹຒΊࠐ·ΕͨKey ServerΛࢀর͠ʹ ͍͘ • 8.10Ͱ͸sks-keyservers, ubuntu, openpgp, mitͷ4ͭ • ޙ൒3ͭ͸maven centralʹϥΠϒϥϦΛެ։͢Δࡍ͸ެ։伴Λొ࿥͢ ΔΑ͏ʹקΊΒΕ͍ͯΔKey Server https://github.com/gradle/gradle/blob/v8.10.0/platforms/software/dependency-management/src/main/java/org/gradle/api/internal/ artifacts/ivyservice/ivyresolve/verification/DefaultKeyServers.java https://central.sonatype.org/publish/requirements/gpg/#distributing-your-public-key

Slide 35

Slide 35 text

How Veri fi es Signature • ⚠ signatureͷݕূ͸publisher͕ެ։͔ͯ͠Βartifact͕վ͟Μ͞Εͯ ͍ͳ͍͜ͱΛอূ͢ΔͷΈͰॺ໊ऀ͕ਖ਼͍͜͠ͱ͸อূͰ͖ͳ͍ • 🆖 伴͕౪೉͞ΕΔ • 🆖 ੬ऑੑ͕ຒΊࠐ·ΕΔ • ⚠ ͦ΋ͦ΋ެ։伴͕ެ։͞Ε͍ͯͳ͍Մೳੑ

Slide 36

Slide 36 text

How Veri fi es Signature • MavenCentralɿͦ΋ͦ΋ॺ໊͍ͯ͠ͳ͍ͱެ։Ͱ͖ͳ͍ɺ υϝΠϯ ॴ༗ূ໌΋ඞཁ • Google Mavenɿ2023೥6݄Ҏ߱ͷJetpack͸ॺ໊͞Ε͍ͯΔ͕ͦΕ Ҏ֎͸ରԠ͕·ͪ·ͪ • Gradle Plugin Portalɿ·ͪ·ͪ • Bintray, JCenter, JitPackɿॺ໊͍ΒͣͰެ։Մೳ

Slide 37

Slide 37 text

Repository Content Filtering • repository blockͰԿؚ͕·ΕΔؚ͔·Εͳ͍͔ΛઃఆͰ͖Δ • android studioͰ৽نϓϩδΣΫτ࡞Δͱgoogle maven΋ߜΔهड़ ʹͳ͍ͬͯΔ • maven repositoryʹର৅ͷartifact͕࣮֬ʹؚ·Ε͍ͯͳ͍৔߹ʹ୳͠ ʹߦ͔ͳ͘ͳΔͳͲͷύϑΥʔϚϯεͷར఺͕͋ΔͷʹՃ͑ͯҙਤ͠ ͳ͍maven repository͔ΒͷartifactऔಘΛ๷͛Δ

Slide 38

Slide 38 text

Repository Content Filtering

Slide 39

Slide 39 text

Repository Content Filtering

Slide 40

Slide 40 text

Repository Content Filtering ҙਤͤͣv2.0.0͕ղܾ͞Εͯ͠·͏Մೳੑ

Slide 41

Slide 41 text

Let's Do Veri fi cation • ࣗ࡞ϥΠϒϥϦ(WebAuthnKt)ʹಋೖͯ͠ΈΔ • Google͔ΒWebAuthnͰ࢖༻͢ΔjsonͷserializationϥΠϒϥϦ͸ެ։͞Ε͍ͯΔ͕಺෦Ͱgson ͕࢖༻͞Ε͍ͯΔ • Moshi/kotlinx.serializationͰWebAuthnͷjsonΛserialize͢ΔͨΊͷϥΠϒϥϦ

Slide 42

Slide 42 text

Let's Do Veri fi cation • ΍Δ͜ͱ 1.Gradle WrapperͷVeri fi cation 2.Repository Content Filtering 3.Dependency Veri fi cationͷ༗ޮԽ 4.Dependency Reportͷ༗ޮԽͱDependabotͷઃఆ 5.Release࡞੒ͷSBOMͷੜ੒

Slide 43

Slide 43 text

Gradle Wrapper Veri fi cation • 0͔ΒηοτΞοϓ͢Δ 1. Gradle Distributionͷμ΢ϯϩʔυ 2. Gradle Wrapperͷੜ੒ 3. gradle-wrapper.propertiesΛઃఆ

Slide 44

Slide 44 text

Gradle Wrapper Veri fi cation • Gradle WrapperΛੜ੒͢ΔͨΊʹGradle distributionΛμ΢ϯϩʔυ ͢Δ • serviceαΠτ͔Βbin΋͘͠͸all suf fi x͕͍͍ͭͯΔzipΛμ΢ϯϩʔ υ͢Δ • zipΛsha256sumίϚϯυͰνΣοΫͨ͋͠ͱɺద౰ͳ৔ॴʹղౚ͢ Δ

Slide 45

Slide 45 text

• javaίϚϯυΛ࢖ͬͯ௚઀GradleΛىಈͯ͠wrapperλεΫΛ࣮ߦ͢Δ • ࣮ߦ͢ΔͱGradle Wrapper͕ੜ੒͞ΕΔ • gradlew, gradlew.bat • gradle/gradle-wrapper.properties • gradle/gradle-wrapper.jar Gradle Wrapper Veri fi cation

Slide 46

Slide 46 text

Gradle Wrapper Veri fi cation

Slide 47

Slide 47 text

Gradle Wrapper Veri fi cation ⚠ distributionUrl͕ެࣜͷdistributionΛઃఆ͍ͯ͠Δ͜ͱΛ֬ೝ͢Δ

Slide 48

Slide 48 text

Gradle Wrapper Veri fi cation • distributionSha256Sumʹsha256Λ௥Ճ͢Δ • Gradleެ͕ࣜެ։͍ͯ͠Δsha256Λ࢖༻͢Δ • https://gradle.org/release-checksums/ • https://services.gradle.org/distributions/gradle-{version}-bin.zip.sha256

Slide 49

Slide 49 text

Gradle Wrapper Veri fi cation • ޡͬͨchecksumΛdistributionSha256Sumʹઃఆ͢Δͱɾɾɾ

Slide 50

Slide 50 text

Before •Google Maven : AGP •MavenCentral : KGPͱ֤ Gradle Plugin͕಺෦Ͱ࢖༻ ͍ͯ͠ΔϥΠϒϥϦ •Gradle Plugin Portal Repository Content Filtering

Slide 51

Slide 51 text

After •Google Maven : Google͕ެ։͠ ͍ͯΔgroup idͷΈʹઃఆ •Gradle Pluign Portal͔Β͸nexus publish pluginͱgradle develocity pluginͷΈΛऔಘ͢ΔΑ͏ʹઃఆ Repository Content Filtering

Slide 52

Slide 52 text

After •Google Maven : Google͕ެ։͠ ͍ͯΔgroup idͷΈʹઃఆ •Gradle Pluign Portal͔Β͸nexus publish pluginͱgradle develocity pluginͷΈΛऔಘ͢ΔΑ͏ʹઃఆ Repository Content Filtering

Slide 53

Slide 53 text

Enable Dependency Veri fi cation •ݕূΤϥʔʹͳͬͨࡍɺσϑΥϧτͰ͸HTMLͱ؆қͳΤϥʔΛίϯ ιʔϧʹදࣔ͢Δ •CI্ͳͲͰΤϥʔ͕ग़ͨࡍʹHTMLΛऔಘ͢Δͷ͸Ұख͔͔ؒΔͷͰ ༗ޮԽ͢Δ

Slide 54

Slide 54 text

Enable Dependency Veri fi cation • $projectDir/gradle/veri fi cation-metadata.xmlͰઃఆΛߦ͏ • ϑΝΠϧ͕͋Δ͚ͩͰchecksumݕূ͕༗ޮʹͳΔ • 1ϑΝΠϧ͕ϓϩδΣΫτશମʹ೾ٴ͢Δ(buildSrc, root project, sub project)

Slide 55

Slide 55 text

Enable Dependency Veri fi cation • metadataɺsignatureݕূΛΦϑ • jar, aarͳͲͷchecksumͷΈ࣮ࢪ͢Δઃఆ Ұ୴Gradle SyncΛ࣮ߦ🐘

Slide 56

Slide 56 text

Enable Dependency Veri fi cation

Slide 57

Slide 57 text

Enable Dependency Veri fi cation

Slide 58

Slide 58 text

Enable Dependency Veri fi cation ಉ͡खॱͰશͯͷartifactͷ checksumΛઃఆ͍͚ͯ͠͹OK 🎉

Slide 59

Slide 59 text

Enable Dependency Veri fi cation ಉ͡खॱͰશͯͷartifactͷ checksumΛઃఆ͍͚ͯ͠͹OK 🎉 ͕͢͞ʹྔ͕ଟͯ͘ݫ͍͠ 😞

Slide 60

Slide 60 text

Enable Dependency Veri fi cation • λεΫʹඥͮ͘ґଘؔ܎Λղܾ͠ɺchecksumΛveri fi cation-metadata.xml ʹ௥ه͢Δ • λεΫʹඥ͍ͮͨґଘؔ܎Λղܾ͢ΔͷͰΑΓଟ͘ͷґଘ͕ղܾ͞ΕΔλ εΫͰ࣮ߦ͢Δͷ͕๬·͍͠ • e.g.) androidDependencies, assemble, test w w w w

Slide 61

Slide 61 text

Enable Dependency Veri fi cation

Slide 62

Slide 62 text

Enable Dependency Veri fi cation ⚠ originΛઃఆ͠ͳ͍ͱ--write-veri fi cation- metadataΦϓγϣϯͷ࣮ߦͰ্ॻ͖͞ΕΔ

Slide 63

Slide 63 text

Enable Dependency Veri fi cation Generated by Gradle͸ࣗಈੜ੒ϚʔΧʔ ͜ͷoriginʹͳ͍ͬͯΔ΋ͷΛத৺ʹνΣοΫ͍ͯ͘͠

Slide 64

Slide 64 text

Enable Dependency Veri fi cation ͋ͱ͸ͻͨ͢ΒΤϥʔ͕ͳ͘ͳΔ·Ͱ checksumΛ௥Ճ͢Δ😂

Slide 65

Slide 65 text

Enable Dependency Veri fi cation

Slide 66

Slide 66 text

Enable Dependency Veri fi cation ͜Ε΋ͻͨ͢ΒΤϥʔ͕ͳ͘ͳΔ·Ͱ checksumΛ௥Ճ͢Δ😂

Slide 67

Slide 67 text

Enable Dependency Veri fi cation

Slide 68

Slide 68 text

Enable Dependency Veri fi cation

Slide 69

Slide 69 text

Enable Dependency Veri fi cation

Slide 70

Slide 70 text

Enable Dependency Veri fi cation ಉ͡खॱͰશͯͷPGP Key IDΛ ઃఆ͍͚ͯ͠͹OK 🎉

Slide 71

Slide 71 text

Enable Dependency Veri fi cation ಉ͡खॱͰશͯͷPGP Key IDΛ ઃఆ͍͚ͯ͠͹OK 🎉 ͕͢͞ʹྔ͕ଟͯ͘ݫ͍͠ 😞

Slide 72

Slide 72 text

Enable Dependency Veri fi cation • --write-veri fi cation-metadataΦϓγϣϯʹpgpͱsha256Λ౉͢ • Gradle͕ެ։伴αʔόʔ͔Β֘౰ͷ伴Λ୳͠ɺ伴͝ͱʹgroupingͳ ͲΛΑ͠ͳʹ΍্ͬͨͰveri fi cation-metadata.xmlΛߋ৽͢Δ

Slide 73

Slide 73 text

Slide 74

Slide 74 text

PGP with Jetpack https://developer.android.com/jetpack/getting-started

Slide 75

Slide 75 text

Enable Dependency Veri fi cation ͋ͱ͸ͻͨ͢ΒΤϥʔ͕ͳ͘ͳΔ·Ͱ Key ID, FingerprintΛ௥Ճ͢Δ😂 💡 Gradle͸μ΢ϯϩʔυʹࣦഊͨ͠Key IDΛ24࣌ؒ͸cache͢ΔͷͰ --refresh-keysΦϓγϣϯͱ--export-keysΦϓγϣϯΛซ༻͢Δͷ͕Φεεϝ

Slide 76

Slide 76 text

Enable Dependency Veri fi cation • veri fi cation-metadata.xmlͷࢀߟ • https://github.com/elastic/elasticsearch • https://github.com/androidx/androidx • https://github.com/gradle/gradle

Slide 77

Slide 77 text

Dependabot with Gradle

Slide 78

Slide 78 text

Dependabot with Gradle • https://github.com/gradle/actions Λ࢖͏ • Cache؅ཧ • GitHub Dependency Submission APIݺͼग़͠ • Gradle Wrapper Jarͷchecksum veri fi cation

Slide 79

Slide 79 text

Dependabot with Gradle

Slide 80

Slide 80 text

Dependabot with Gradle ⚠ λεΫ࣮ߦ·Ͱղܾ͞Εͳ͍ґଘ͕ଘࡏ͢ΔͷͰ஫ҙ

Slide 81

Slide 81 text

Dependabot with Gradle https://docs.github.com/ja/actions/security-for-github-actions/security- guides/security-hardening-for-github-actions#using-third-party-actions actions͸commit hashͰࢦఆ͢Δ

Slide 82

Slide 82 text

Dependabot with Gradle

Slide 83

Slide 83 text

Generate SBOM • {aar|apk|aab}Λ࡞੒͢Δࡍͷ SBOMΛ࡞੒͢Δ • JetBrains/KotlinͰ࢖༻͞Ε͍ͯΔ spdx-gradle-pluginΛ࢖༻͢Δ

Slide 84

Slide 84 text

Generate SBOM

Slide 85

Slide 85 text

Generate SBOM 💡 con fi guration͕Θ͔Βͳ͘ͳͬͨΒ androidDependenciesλεΫͰ֬ೝ͢Δ

Slide 86

Slide 86 text

Generate SBOM

Slide 87

Slide 87 text

Finally... ηοτΞοϓ͕׬ྃͨ͠🎉

Slide 88

Slide 88 text

End? No, It's just beginning • ηοτΞοϓ͸׬ྃͰͳ͘ɺελʔτ • ґଘͷߋ৽ͷखؒ • Dependabot͸gradleΛ࣮ߦ͠ͳ͍ͨΊgradle wrapper, veri fi cation-metadataͷߋ ৽ΛߦΘͳ͍ • checksumݕূΛϝΠϯʹ࢖͏৔߹όʔδϣϯߋ৽ͷͨͼʹඞͣchecksumมߋ͕ൃ ੜ͢Δ • ಥવى͜Δॺ໊ෆҰக • ϥΠϒϥϦͷόʔδϣϯʹΑͬͯॺ໊ͨ͠伴͕ҧ͏͜ͱ͸··͋Δ͜ͱ

Slide 89

Slide 89 text

·ͱΊ • Gradle͸checksumͱsignatureΛ࢖ͬͯartifactsͷݕূΛߦ͏ • ઃఆʹΑͬͯ͸ϥΠϒϥϦͷߋ৽؅ཧ͕େมʹͳΔͨΊɺঢ়گʹԠ͡ ͯઃఆΛௐ੔͢Δඞཁ͕͋Δ • GitHub ActionsͰ͸GradleެࣜͷactionΛ࢖͏ͱDependabot͕ΑΓ ༗ޮ׆༻Ͱ͖Δ

Slide 90

Slide 90 text

About Me • Bunjiro Miyoshi • ଟ෼5೥͘Β͍androidΞϓϦ։ൃऀ • KMP޷͖ • Kodee͘Μͷ͵͍͙ΔΈ͕ཉ͍͠

Slide 91

Slide 91 text

αϓϥΠνΣʔϯ߈ܸʹඋ͑Δ

Slide 92

Slide 92 text

Refs • https://blog.gradle.org/wrapper-attack-report • https://docs.gradle.org/current/userguide/ dependency_veri fi cation.html • https://blog.gradle.org/category/security • https://docs.gradle.org/current/userguide/ declaring_repositories_adv.html#sec:repository-content- fi ltering

Slide 93

Slide 93 text

͓·͚(1) Store listing visibility • νΣοΫ͚ͭΔ͚ͩͰةݥͳσόΠεʢroot ݖݶऔಘ͕ͳ͞Εͨσό Πεɺෆਖ਼࢖༻͞ΕͨσόΠεɺΤϛϡϨʔλɺෆ໌ͳ؀ڥͳͲʣ΁ Google Play Store͔ΒͷΞϓϦͷެ։͕ϒϩοΫ͞ΕΔ • https://play.google.com/console/about/app-integrity/

Slide 94

Slide 94 text

͓·͚(2) Automatic Integrity Protection • Google Play͕ࣗಈͰϥϯλΠϜνΣοΫΛΞϓϦʹ૊ΈࠐΜͰ͘Ε Δ • https://support.google.com/googleplay/android-developer/ answer/10183279

Slide 95

Slide 95 text

͓·͚(3) validateDistributionUrl • Gradle8.2͔Βgradle-wrapper.propertiesʹઃఆͰ͖Δ։ൃதͷϑϥ ά • distributionUrl͕ਖ਼͍͠৔߹ͷΈdistributionΛdownload͢ΔΑ͏ʹ νΣοΫͯ͘͠ΕΔ • https://docs.gradle.org/8.2/dsl/ org.gradle.api.tasks.wrapper.Wrapper.html#org.gradle.api.tasks.wra pper.Wrapper:validateDistributionUrl

Slide 96

Slide 96 text

͓·͚(4) GitHub Artifact Attestations • GitHub ActionsͰartifact attestationsͷੜ੒ͱݕূ͕Ͱ͖ΔΑ͏ʹ ͳͬͨ • SLSAͱಉ͡SigstoreΛ࢖͏ • https://docs.github.com/ja/actions/security-for-github-actions/ using-artifact-attestations/using-artifact-attestations-to-establish- provenance-for-builds

Slide 97

Slide 97 text

EOF