Secure JCenter with HTTPS

UPDATE: As of May 1, 2021 Bintray services will no longer be available (ConanCenter and JCenter are not affected) for more information read the Centers Deprecation Blog

 

Are you using Bintray JCenter to find and share public OSS JVM language packages? If so, we have some important news for you to help keep your builds running without interruption.

Starting in January 2020, JCenter will only serve requests made with HTTPS. From that point on, all requests made with HTTP will be denied and any builds that use a JCenter URL with the non-secure HTTP protocol will fail.

The TL;DR? Update your tools with a URL that uses HTTPS as soon as you can. That’s all you really need to do to be certain all your builds will continue to run smoothly with JCenter. 

To ease the transition for JCenter users, the change is coming in two phases:

When What’s Changing
October 1, 2019 HTTP requests to JCenter will automatically be redirected to HTTPS.
January 13, 2020 HTTP requests to JCenter will be denied. Only HTTPS will be supported.

 

If you want to know more, here are some answers to questions you’re likely to have:

JCenter? What’s that?

JCenter is a central repository on JFrog Bintray platform for finding and sharing popular JVM language packages in Maven format, used by Maven, Gradle, Ivy, SBT, and others. JCenter is the most comprehensive source for OSS Maven packages, hosting over 340,000 public packages.

Is HTTPS support new?

HTTPS support on JCenter isn’t new. JCenter supported secure HTTPS from day 0, and it’s always been the recommended transport protocol to access any repository on Bintray. Support for HTTPS has been one of many components of JFrog’s commitment to content integrity. We’ve permitted access using HTTP protocol as well, but soon we won’t.

Why are you forcing me to change?

Because we care about your security. HTTP is an unencrypted transfer protocol that is vulnerable to eavesdropping and tampering. Particularly important to JCenter users, HTTP transfers enable man-in-the-middle attacks that can be performed on JAR artifacts. As a protocol that uses bidirectional encrypted transmissions, HTTPS provides an essential level of protection.

I’m already using HTTPS. What do I need to do?

If your URLs are already using HTTPS, you don’t need to do anything. Congratulate yourself for good security practice, but remember, that HTTPS is not enough!

I’m using HTTP but my tools support redirects. What should I do?

You should still update your URLs to use HTTPS as soon as possible. 

If you miss any you will still be okay after the first change in October. After October 1st, look for redirect messages in your logs, to help you find all of the places where you need to change to HTTPS before the end of the year. After January 13th, your builds will fail for any URLs you didn’t update.

I’m using HTTP and my tools don’t support redirects. What should I do?

Update your URLs to use HTTPS right away. If you don’t, and your tools don’t support redirects, your builds will fail beginning in October.

JCenter sounds pretty cool. How can I learn more about it?

JCenter is very cool! As one of the most popular Maven hubs, it’s a great way to distribute Android libraries and expose your Maven packages to a huge audience. You can learn about including your packages in JCenter in the Bintray User Guide. Since JCenter is a curated repository with trusted content, you need to be a fully registered user before you can link your package to JCenter.