The recent supply-chain attacks in the news are making me nervous! 😟 The Gradle 6.3 distribution is the only software on my OpenJFX build system that doesn't come from an Ubuntu package or a GitHub repository. Ubuntu uses digital signatures to authenticate each package, and Git uses a secure hash algorithm to ensure the integrity of each file, but there is no such check of the Gradle distribution before running it. During my OpenJFX builds, Gradle is downloaded from a Cloudflare server through an HTTPS proxy server, and there's no guarantee that it's the same file as the one published by the Gradle developers.
This pull requests adds the additional step of verifying the Gradle distribution on the build system before extracting its archive and running it. We might also consider adding the [Gradle Wrapper Validation](https://github.com/marketplace/actions/gradle-wrapper-validation) GitHub Action to the OpenJFX repository. ------------- Commit messages: - Configure Gradle checksum verification Changes: https://git.openjdk.java.net/jfx/pull/411/files Webrev: https://webrevs.openjdk.java.net/?repo=jfx&pr=411&range=00 Issue: https://bugs.openjdk.java.net/browse/JDK-8262236 Stats: 1 line in 1 file changed: 1 ins; 0 del; 0 mod Patch: https://git.openjdk.java.net/jfx/pull/411.diff Fetch: git fetch https://git.openjdk.java.net/jfx pull/411/head:pull/411 PR: https://git.openjdk.java.net/jfx/pull/411
