Where are the Machine Readable Release Checksums?

rchapin · November 9, 2022, 2:31pm

I want to automate the downloading, validation, and installation of a gradle release.

I found that I can get a release here: https://downloads.gradle-dn.com/distributions/gradle-.bin.zip

However, the only place that I have found the checksums for the releases is here: Gradle | Gradle distribution and wrapper JAR checksum reference.

I don’t want to have to parse through the HTML to get the checksum for a given release.

Is there some URL from which I can get a machine readable version of this information?

Thanks,
Ryan

Chris_Dore · November 9, 2022, 11:28pm

The *.sha256 files are available in the same location you are downloading the zips.

https://services.gradle.org/distributions/

Chris_Dore · November 9, 2022, 11:33pm

Of course, if someone manages to man-in-the-middle attack the zip download then they are probably also modifying the sha256 download. So you are loosing that protection when automatically updating to a new release.

Vampire · November 14, 2022, 12:58pm

The machine readable directory with the download urls for the distributions and checksums is at Gradle Version Information. There you can get JSONs for the different release channels or all together.

Topic		Replies	Views
Where can I find distribution checksums Help/Discuss	7	3303	May 15, 2020
Supply checksum when downloading gradle Help/Discuss	1	1005	September 18, 2017
Safety of Gradle distributions? Help/Discuss	6	1515	September 18, 2017
Publish SHA Checksum for gradle distributions Help/Discuss	1	2086	September 18, 2017
Does gradle have an option to automatically validate downloaded artifacts via checksum? Help/Discuss	2	638	March 5, 2019

Where are the Machine Readable Release Checksums?

Related Topics