Jar Validation via hashes or signatures

I’d like to be be able to validate the entire Gradle toolchain as well as my dependent jars when I build a project.

Assumptions: Clean OS and Java install.

Components that need to be validated:

  1. Gradle wrapper scripts
  2. Gradle wrapper JAR
  3. Gradle distribution – can be validated via the distributionSha256Sum property.
  4. Gradle plugins
  5. Project dependencies – can be validated via the Gradle Witness plugin – though this is difficult to use without “trusting on first use”.

Did I miss any components that should be validated? Are there any tools or techniques besides the ones I’ve mentioned?

Note there is open issue for the Gradle Witness plugin that addresses #4.