Enable dependency signature verification

[liutikas]

Ensure that all the dependencies used are signed with expected keys.

Followed https://developer.android.com/build/dependency-verification

Test: ./gradlew build --dry-run
Fixes #175

[gemini-code-assist]

Summary of Changes

Hello @liutikas, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's supply chain security by implementing Gradle's dependency verification. It ensures that all third-party libraries are either signed by trusted PGP keys or have their integrity validated through recorded SHA256 checksums, thereby mitigating risks associated with compromised dependencies. This change establishes a robust mechanism for verifying the provenance and integrity of external code.

Highlights

• Dependency Signature Verification Enabled: Gradle's dependency signature verification has been activated to ensure the authenticity of all project dependencies.
• Trusted Keys Configuration: A comprehensive list of trusted PGP keys has been added, mapping them to specific dependency groups to validate their origin.
• SHA256 Checksums for Unsigned Artifacts: For dependencies that are not signed, explicit SHA256 checksums are now recorded in the verification metadata to guarantee their integrity.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a great step towards improving the project's supply chain security by enabling Gradle's dependency verification. The configuration correctly disables remote key servers and pins checksums for unsigned artifacts. I've found a few areas for improvement:

• There are some highly suspicious entries for Guava dependencies that need to be investigated as they could indicate a serious security risk.
• The trust granted to some PGP keys is overly broad, which could be tightened to improve security.
• A minor cleanup for the key server configuration.

Please see my detailed comments.