@eljobe, it is great that checksums for Gradle binaries are published.
However the missing thing is validation of the dependencies that Gradle itself downloads during the build.
For instance: plugin jars, jars from dependencies section, and so on.
That is especially important for plugins since plugin code is executed very early (before task configuration).
In other words, users (developers) should be able to somehow specify “the approved” checksums for the downloaded artifacts.
For instance, it could be
A plain list of “well known” checksums: sha512("guava:guava:23", "38782378238..."); sha512("log4j:log4j:3.0", "947665234..");
Signature-based asserts like gpg("guava:*", keys="...") (so it validates that GPG signature of the artifact can be validated locally)