It is somehow possible to force enable Gradle artifacts hash and signature verification when the project doesn’t have its own
verification-metadata.xml, like via gradle properties? I did not found it in the documentation.
But Id did not found a list of all possibilities.
And of course, the possibility to force set globally URI of key server or list of trusted keys.
Of course, I can simply write the verification-metadata.xml file on CI server just after source code checkout. But it is also not ideal, because this file can exists already on some projects and I will lost
<components> section. It is also not ideal, that
<configuration> is in the same file as