Publish SHA Checksum for gradle distributions


(Oliver Becker) #1

The gradle wrapper allows the configuration of a SHA-256 hash for verifying an automatically downloaded gradle distribution.
See https://docs.gradle.org/current/userguide/gradle_wrapper.html#sec:verification

However, this hash apparently has to be computed by the user. So if I download an already infected distribution and compute the hash myself, the security checksum would be useless.

I wonder, why you don’t publish checksums for your distributions on your releases page https://gradle.org/releases

Thanks, Oliver


Safety of Gradle distributions?
(Pepper Lebeck-Jobe) #2

We now publish sha256 checksums with every release. We’ve also backfilled the data for older releases.