Publish SHA Checksum for gradle distributions

The gradle wrapper allows the configuration of a SHA-256 hash for verifying an automatically downloaded gradle distribution.
See https://docs.gradle.org/current/userguide/gradle_wrapper.html#sec:verification

However, this hash apparently has to be computed by the user. So if I download an already infected distribution and compute the hash myself, the security checksum would be useless.

I wonder, why you don’t publish checksums for your distributions on your releases page https://gradle.org/releases

Thanks, Oliver

We now publish sha256 checksums with every release. We’ve also backfilled the data for older releases.

• https://gradle.org/install
• https://gradle.org/releases
• https://gradle.org/release-candidate
• https://gradle.org/nightly
• https://services.gradle.org/distributions
• https://services.gradle.org/distributions-snapshots