Where can I find distribution checksums


(Siarhei) #1

I’m building a Chef script to automate my developer’s environment setup. One of the recipes downloads Gradle from http://services.gradle.org/distributions/. I want to be sure that download was correct and check ZIP’s checksum, but I cannot find any checksums for latest versions published. How can I check integrity?


PGP Verify Plugin: How to verify dependency signatures?
Safety of Gradle distributions?
(Sterling Greene) #2

@luke_daley do we keep these anywhere?


(Luke Daley) #3

@sterling Not currently.


(RAVI KUMAR PASUMARTHY) #4

We need to have open pgp ascii armoured signed detached signature files along with sha256 or sha 512 files. I cannot find checksum files for the latest distributions - v2.9. It is very important to have these checksum and signature files. In certain environments like governments and banks we are supposed to run these checks before executing any further commands. Not having these is no-go. I cannot generate these, and these should be coming from the gradle release engineering team and published on distribution page along side of the main binaries.


(David Kowis) #5

It’d be really nice to have these. Been over a year without any activity. Perhaps we could get this?


(Pepper Lebeck-Jobe) #6

We now publish sha256 checksums with every release. We’ve also backfilled the data for older releases.