Sign plugin artifacts

[Nek-12]

https://blog.oversecured.com/Introducing-MavenGate-a-supply-chain-attack-method-for-Java-and-Android-applications/

Gradle task

./gradlew --write-verification-metadata pgp,sha256 --export-keys

did not find a pgp public key in a remote repository or the artifact is not signed.

 <component group="com.github.ben-manes" name="gradle-versions-plugin" version="0.50.0">
         <artifact name="gradle-versions-plugin-0.50.0.jar">
            <sha256 value="cc5381f2601200ed2405d44ea9eaab821560904bfdc9f17f8f0035a7706a4fb3" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
         <artifact name="gradle-versions-plugin-0.50.0.module">
            <sha256 value="2dacaacd0172ac5d258f6adc93399d5b091bc2029db9a3d665c4d00e4e7f6bec" origin="Generated by Gradle" reason="Artifact is not signed"/>
         </artifact>
      </component>

A fix is to:

1. Start signing all artifacts, if not signed yet
2. Upload a public pgp key used for signing artifacts to multiple public pgp repositories: https://keys.openpgp.org | https://pgp.mit.edu | https://keyserver.ubuntu.com/

[ben-manes]

The plugin portal only recently supported pgp signatures for plugins, so almost the entire ecosystem of plugins are unsigned. While it’s encouraging to enable signing now that it is supported, it is very misleading to pretend as if this is a security vulnerability that does not exist throughout your build regardless. The proper fix is to use repository constraints so that plugins are only searched in trusted sources. Assuming that you don’t screw up by trusting the wrong signature files won’t protect you.