Since it’s possible to sign artifacts with gradle, and since this signature is uploaded together with the artifacts, the POM file, etc. to the Maven repository, how can I tell gradle to verify the artifact’s signature against an expected one?
Ideally I’d like to have something like
compile '[group]:[artifact]:[version]:[base64(expected_pubkey)]'
where expected_pubkey is the public key that is expected to sign the artifact. Ideally with optional support for specifying the hash of the artifact, if it’s a non-changing dependency, and support for tagging a repository as ‘trusted’ so that no verification will be performed when using artifacts from it (e.g. because I build the artifacts there myself).
Is that somehow possible with gradle?