Where are the Machine Readable Release Checksums?

rchapin · November 9, 2022, 2:31pm

I want to automate the downloading, validation, and installation of a gradle release.

I found that I can get a release here: https://downloads.gradle-dn.com/distributions/gradle-.bin.zip

However, the only place that I have found the checksums for the releases is here: Gradle | Gradle distribution and wrapper JAR checksum reference.

I don’t want to have to parse through the HTML to get the checksum for a given release.

Is there some URL from which I can get a machine readable version of this information?

Thanks,
Ryan

Chris_Dore · November 9, 2022, 11:28pm

The *.sha256 files are available in the same location you are downloading the zips.

https://services.gradle.org/distributions/

Chris_Dore · November 9, 2022, 11:33pm

Of course, if someone manages to man-in-the-middle attack the zip download then they are probably also modifying the sha256 download. So you are loosing that protection when automatically updating to a new release.

Vampire · November 14, 2022, 12:58pm

The machine readable directory with the download urls for the distributions and checksums is at Gradle Version Information. There you can get JSONs for the different release channels or all together.