It is somehow possible to force enable Gradle artifacts hash and signature verification when the project doesn’t have its own verification-metadata.xml, like via gradle properties? I did not found it in the documentation.
There is
org.gradle.dependency.verification.console=verbose
But Id did not found a list of all possibilities.
And of course, the possibility to force set globally URI of key server or list of trusted keys.
Of course, I can simply write the verification-metadata.xml file on CI server just after source code checkout. But it is also not ideal, because this file can exists already on some projects and I will lost <components> section. It is also not ideal, that <configuration> is in the same file as <components>.