Gradle-wrapper should verify integrity of the downloaded distribution

Right now, the Gradle wrapper downloads Gradle over unsecured HTTP without any apparent integrity checking.

It would be good, in my opinion, to include the SHA1 hash of the distribution zip file in ‘gradle-wrapper.properties’ and have the wrapper verify that checksum after downloading.

The circularity involved in creating this hash - the distribution may need to contain its own hash in order to for the ‘wrapper’ task to create the properties file - seems like a troublesome problem to solve, though.

This assumes that the wrapper task will only be used with the current version.

Whenever I upgrade Gradle in my projects, I change the version number in

task wrapper(type: Wrapper) {
 gradleVersion = '1.11'
}

and execute ‘gradlew wrapper’ two times (plus one additional time to see the UP-TO-DATE). I see no way the wrapper task could know the SHA1 while executing for a newer (probably even SNAPSHOT) version.

We’re planning some improvements to how we host/distribute the binaries. I’ll include this in the list of work to do.

We now publish sha256 checksums with every release. We’ve also backfilled the data for older releases.

1 Like