SOLR-17657: Use Gradle Verification Metadata

[ppkarwasz]

Description

This PR replaces Solr’s custom dependency verification with Gradle’s built-in Verification Metadata, as proposed in SOLR-17657.

Gradle’s mechanism provides a standardized and well-maintained way to verify dependencies before they are used, including all runtime and plugin artifacts.

Benefits:

• Managed and updated by Gradle itself
• Enforces verification prior to dependency usage
• Covers all artifacts, including Gradle plugins and their transitive dependencies

Approach

This change builds on Solr’s existing verified checksums stored in solr/licenses, ensuring a safe transition without discarding previously verified data.

Additional checksums (for POMs, Gradle module files, plugins, and their dependencies) were generated using Gradle’s bootstrap procedure:

./gradlew --write-verification-metadata sha256

This follows the Trust On First Use (TOFU) model and the generated entries are explicitly marked as “Generated by Gradle”.

Warning

This PR is a work in progress, focused on achieving parity with Solr’s current checksum verification.

Feedback is welcome on how to handle future dependency upgrades securely. One possible next step is adding PGP signature verification using TOFU-based keys that can later be replaced with verified fingerprints.

While this wouldn’t prove artifact provenance, it would detect key changes and fail the build for manual review.

How to Review

Because this PR moves hundreds of checksum entries, manual line-by-line review isn’t practical. Copilot might actually be useful here.

For a manual review, here’s a recommended verification process:

Step 1: Verify SHA-1 checksum migration

A helper script generate-verification-metadata.sh is included. It reproduces the migration from Solr’s legacy SHA-1 data to Gradle’s verification format.

You can verify that the migration output matches what’s committed:

# Fetch and checkout PR
git fetch git@github.com:vex-generation-toolset/solr.git feat/gradle-verification-metadata

# Checkout migration commit
git checkout 039d1eadfcf50b4fd82a59f723b4a6d39c0af767

# Review and run the migration script
./generate-verification-metadata.sh

# Backup generated metadata
mv gradle/verification-metadata.xml{,.bak}

# Checkout the next commit
git reset --hard
git checkout cfddb94df111bd91ae67ad5ccbc7288672d48022

# Compare your generated metadata with the committed version
diff gradle/verification-metadata.xml{,.bak}

If the files match, the migration is confirmed.

Step 2: Review SHA-256 generation

Commit 1f255ae adds SHA-256 checksums for artifacts not previously verified.

Because the migration script preserved line order consistent with Gradle’s --write-verification-metadata output, this commit only adds new entries, it does not modify or remove existing ones.

Step 3: Build verification

To confirm that dependency verification works end-to-end:

./gradlew check

This ensures the build succeeds with the new verification metadata enabled.

Checklist

Please review the following and check all that apply:

• I have reviewed the guidelines for How to Contribute and my code conforms to the standards described there to the best of my ability.
• I have created a Jira issue and added the issue ID to my pull request title.
• I have given Solr maintainers access to contribute to my PR branch. (optional but recommended, not available for branches on forks living under an organisation)
• I have developed this patch against the main branch.
• I have run ./gradlew check.
• I have added tests for my changes.
• I have added documentation for the Reference Guide
• I have added a changelog entry for my change