I’d like to be be able to validate the entire Gradle toolchain as well as my dependent jars when I build a project.
Assumptions: Clean OS and Java install.
Components that need to be validated:
- Gradle wrapper scripts
- Gradle wrapper JAR
- Gradle distribution – can be validated via the distributionSha256Sum property.
- Gradle plugins
- Project dependencies – can be validated via the Gradle Witness plugin – though this is difficult to use without “trusting on first use”.
Did I miss any components that should be validated? Are there any tools or techniques besides the ones I’ve mentioned?
Note there is open issue for the Gradle Witness plugin that addresses #4.