I’ve see a lot written about how gradle uses sha1 hashes to identify cached artifacts and to detect when an artifact needs to be downloaded. But I can’t find anything that says if those hashes can also be used to actually validate artifacts.
I tried the following:
Publish an artifact via gradle to a local ivy repo.
In the repo, modify the uploaded sha1 file, effectively “corrupting” the artifact.
In a second build I declared a dependency on the artifact.
Gradle seemed happy to download the artifact even though it’s computed sha1 should now appear invalid relative to the sha1 in the repo. Is there an (easy) way to make the build fail in the event of such a sha1 mismatch?