apache · ppkarwasz · Nov 1, 2025 · Nov 2, 2025 · Nov 1, 2025 · Nov 1, 2025
diff --git a/changelog/unreleased/SOLR-17657-gradle-verification-metadata.yml b/changelog/unreleased/SOLR-17657-gradle-verification-metadata.yml
@@ -0,0 +1,11 @@
+title: Replace custom checksum verification with Gradle Verification Metadata
+type: changed
+authors:
+- name: Piotr P. Karwasz
+  nick: ppkarwasz
+  url: https://people.apache.org/phonebook.html?uid=pkarwasz
+merge-requests:
+- id: 3828
+links:
+- name: SOLR-17657
+  url: https://issues.apache.org/jira/browse/SOLR-17657
diff --git a/checksums.txt b/checksums.txt
diff --git a/generate-verification-metadata.sh b/generate-verification-metadata.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Open the output file as file descriptor 3
+exec 3> gradle/verification-metadata.xml
+
+# Write the XML header
+cat >&3 <<EOL
+<?xml version="1.0" encoding="UTF-8"?>
+<verification-metadata xmlns="https://schema.gradle.org/dependency-verification"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.3.xsd">
+  <configuration>
+    <verify-metadata>true</verify-metadata>
+    <verify-signatures>false</verify-signatures>
+  </configuration>
+  <components>
+EOL
+
+# Loop through the GAVF entries and write each component
+old_gav=""
+while IFS=: read -r g a v f || [[ -n $g ]]; do
+  sha1=$(< "solr/licenses/$f.sha1")
+  rm -f "solr/licenses/$f.sha1"
+
+  # New component
+  if [ "$g:$a:$v" != "$old_gav" ]; then
+    # Close the previous component if it exists
+    if [ -n "$old_gav" ]; then
+      echo "    </component>"                                           >&3
+    fi
+    echo "    <component group=\"$g\" name=\"$a\" version=\"$v\">"      >&3
+  fi
+  echo "      <artifact name=\"$f\">"                                   >&3
+  echo "        <sha1 value=\"$sha1\" origin=\"solr/license folder\"/>" >&3
+  echo "      </artifact>"                                              >&3
+  old_gav="$g:$a:$v"
+done < checksums.txt
+
+# Write the XML footer
+cat >&3 <<EOL
+    </component>
+  </components>
+</verification-metadata>
+EOL
diff --git a/gradle/validation/jar-checks.gradle b/gradle/validation/jar-checks.gradle
@@ -174,44 +174,6 @@ subprojects {
     }
   }
 
-  // Verifies that each JAR has a corresponding checksum and that it matches actual JAR available for this dependency.
-  task validateJarChecksums() {
-    group = 'Dependency validation'
-    description = "Validate checksums of dependencies"
-    dependsOn collectJarInfos
-
-    doLast {
-      def errors = []
-      jarInfos.each { dep ->
-        def expectedChecksumFile = file("${licensesDir}/${dep.jarName}.sha1")
-        def forceLuceneVersion = project.properties['lucene.dev.version']
-        if (dep.module.id.group == 'org.apache.lucene' && forceLuceneVersion != null && forceLuceneVersion.endsWith('-SNAPSHOT')) {
-          logger.log(LogLevel.INFO, "Skipping jar checksum validation for local SNAPSHOT dependency ('${dep.module}')")
-        } else if (!expectedChecksumFile.exists()) {
-          errors << "Dependency checksum missing ('${dep.module}'), expected it at: ${expectedChecksumFile}"
-        } else {
-          dep.referencedFiles += expectedChecksumFile
-          def expected = expectedChecksumFile.getText("UTF-8").trim()
-          def actual = dep.checksum.get()
-          if (expected.compareToIgnoreCase(actual) != 0) {
-            errors << "Dependency checksum mismatch ('${dep.module}'), expected it to be: ${expected}, but was: ${actual}"
-          } else {
-            logger.log(LogLevel.INFO, "Dependency checksum OK ('${dep.module}')")
-          }
-        }
-      }
-
-      if (errors) {
-        def msg = "Dependency checksum validation failed:\n  - " + errors.join("\n  - ") + "\n\nThese missing checksums can be generated using:\n  ./gradlew updateLicenses"
-        if (failOnError) {
-          throw new GradleException(msg)
-        } else {
-          logger.log(LogLevel.WARN, "WARNING: ${msg}")
-        }
-      }
-    }
-  }
-
   // Locate the set of license file candidates for this dependency. We
   // search for [jar-or-prefix]-LICENSE-[type].txt
   // where 'jar-or-prefix' can be any '-'-delimited prefix of the dependency JAR's name.
@@ -279,7 +241,7 @@ subprojects {
     }
   }
 
-  licenses.dependsOn validateJarChecksums, validateJarLicenses
+  licenses.dependsOn validateJarLicenses
 }
 
 // Add top-project level tasks validating dangling files