Does gradle have an option to automatically validate downloaded artifacts via checksum?
I have seen this question asked before back in 2013 on [this post] (Is there an option to validate downloaded artifacts via the sha1 checksum?) .
There seemed to be some support for the idea in the thread, but I can’t figure out if it made its way into the product.
We now publish sha256 checksums with every release. We’ve also backfilled the data for older releases.
@eljobe, it is great that checksums for Gradle binaries are published.
However the missing thing is validation of the dependencies that Gradle itself downloads during the build.
For instance: plugin jars, jars from
dependencies section, and so on.
That is especially important for
plugins since plugin code is executed very early (before task configuration).
In other words, users (developers) should be able to somehow specify “the approved” checksums for the downloaded artifacts.
For instance, it could be
- A plain list of “well known” checksums:
sha512("guava:guava:23", "38782378238..."); sha512("log4j:log4j:3.0", "947665234..");
- Signature-based asserts like
gpg("guava:*", keys="...") (so it validates that GPG signature of the artifact can be validated locally)