I’m building a Chef script to automate my developer’s environment setup. One of the recipes downloads Gradle from http://services.gradle.org/distributions/
. I want to be sure that download was correct and check ZIP’s checksum, but I cannot find any checksums for latest versions published. How can I check integrity?
@luke_daley do we keep these anywhere?
@sterling Not currently.
We need to have open pgp ascii armoured signed detached signature files along with sha256 or sha 512 files. I cannot find checksum files for the latest distributions - v2.9. It is very important to have these checksum and signature files. In certain environments like governments and banks we are supposed to run these checks before executing any further commands. Not having these is no-go. I cannot generate these, and these should be coming from the gradle release engineering team and published on distribution page along side of the main binaries.
It’d be really nice to have these. Been over a year without any activity. Perhaps we could get this?
We now publish sha256 checksums with every release. We’ve also backfilled the data for older releases.
All checksums are available at https://gradle.org/release-checksums/
Great. Having that in place, maybe it would be easier to implement some further improvements