Dominik Schuermann
2015-04-30 11:04:35 UTC
Hey,
posting this here, because it may be relevant for these projects.
At Openkeychain we are using Gradle Witness [0] to verify the depdencies
from Maven.
I noticed that there is still a dependency that is not verified: The
gradle distribution itself. It is downloaded via a gradle wrapper that
is part of the repositories (normally at gradle/wrapper/gradle-wrapper.jar).
I now implemented SHA-256 sum verfication for it in my fork [1] and did
a pull request [2] to the main gradle repo. Maybe you guys are already
interested in using it before it is merged. It is also a good
opportunity to build the gradle-wrapper.jar yourself from source...
1. Get source from https://github.com/sufficientlysecure/gradle
2. Build it and get wrapper from
subprojects/wrapper/build/libs/gradle-wrapper.jar
3. Use it like
https://github.com/open-keychain/open-keychain/commit/41968206d3deed789dd5b35468a8d8487755234c
Regards
Dominik
[0] https://github.com/WhisperSystems/gradle-witness
[1] https://github.com/sufficientlysecure/gradle
[2] https://github.com/gradle/gradle/pull/448
posting this here, because it may be relevant for these projects.
At Openkeychain we are using Gradle Witness [0] to verify the depdencies
from Maven.
I noticed that there is still a dependency that is not verified: The
gradle distribution itself. It is downloaded via a gradle wrapper that
is part of the repositories (normally at gradle/wrapper/gradle-wrapper.jar).
I now implemented SHA-256 sum verfication for it in my fork [1] and did
a pull request [2] to the main gradle repo. Maybe you guys are already
interested in using it before it is merged. It is also a good
opportunity to build the gradle-wrapper.jar yourself from source...
1. Get source from https://github.com/sufficientlysecure/gradle
2. Build it and get wrapper from
subprojects/wrapper/build/libs/gradle-wrapper.jar
3. Use it like
https://github.com/open-keychain/open-keychain/commit/41968206d3deed789dd5b35468a8d8487755234c
Regards
Dominik
[0] https://github.com/WhisperSystems/gradle-witness
[1] https://github.com/sufficientlysecure/gradle
[2] https://github.com/gradle/gradle/pull/448