Hey, posting this here, because it may be relevant for these projects.
At Openkeychain we are using Gradle Witness [0] to verify the depdencies from Maven. I noticed that there is still a dependency that is not verified: The gradle distribution itself. It is downloaded via a gradle wrapper that is part of the repositories (normally at gradle/wrapper/gradle-wrapper.jar). I now implemented SHA-256 sum verfication for it in my fork [1] and did a pull request [2] to the main gradle repo. Maybe you guys are already interested in using it before it is merged. It is also a good opportunity to build the gradle-wrapper.jar yourself from source... 1. Get source from https://github.com/sufficientlysecure/gradle 2. Build it and get wrapper from subprojects/wrapper/build/libs/gradle-wrapper.jar 3. Use it like https://github.com/open-keychain/open-keychain/commit/41968206d3deed789dd5b35468a8d8487755234c Regards Dominik [0] https://github.com/WhisperSystems/gradle-witness [1] https://github.com/sufficientlysecure/gradle [2] https://github.com/gradle/gradle/pull/448 _______________________________________________ List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To unsubscribe, email: [email protected]
