Jar Validation via hashes or signatures

msgilligan · October 15, 2015, 5:46pm

I’d like to be be able to validate the entire Gradle toolchain as well as my dependent jars when I build a project.

Assumptions: Clean OS and Java install.

Components that need to be validated:

Gradle wrapper scripts
Gradle wrapper JAR
Gradle distribution – can be validated via the distributionSha256Sum property.
Gradle plugins
Project dependencies – can be validated via the Gradle Witness plugin – though this is difficult to use without “trusting on first use”.

Did I miss any components that should be validated? Are there any tools or techniques besides the ones I’ve mentioned?

Note there is open issue for the Gradle Witness plugin that addresses #4.

Topic		Replies	Views
Does gradle have an option to automatically validate downloaded artifacts via checksum? Help/Discuss	2	638	March 5, 2019
JAR signature verification Help/Discuss	0	440	November 23, 2020
Is it possible to use gradle-witness with gradle wrapper? Help/Discuss plugins	0	663	April 12, 2017
Gradle-wrapper should verify integrity of the downloaded distribution Old Forum Archive	3	2761	September 18, 2017
PGP Verify Plugin: How to verify dependency signatures? Help/Discuss plugins	7	4530	August 25, 2021