Hello,
I’m curious if Gradle has any features or plugins which allow verification of JAR signatures (obviously for Java development). The PGP solution offered by Gradle’s built-in dependency verification offers a lot here, but I’m interested if there exist similar options which can utilize the certificate based verification encoded directly into the JAR file (rather than supplemental metadata).
In it’s simplest form, it seems like it would useful for a build author to be able to configure dependencies + trust verification using a syntax akin to:
plugins {
id ‘java’
}
dependencies {
implementation group: ‘org.eclipse.collections’, name: ‘eclipse-collections’, version: ‘10.+’, signed-by: ‘Eclipse.org Foundation, Inc.’
}
This format feels like an alternative which a build author may want to use, testing the CN of the certificate used to sign the JAR, as well as performing appropriate trust chain, CRL, and OCSP checking.
Are there any existing plugins or features to Gradle which offer equivalent functionality, or is there a glaring reason why such functionality might be undesirable?