Add checksum-dependency-plugin for verification of plugin/dependency checksums

[vlsi]

checksum-dependency-plugin is a superset of gradle-witness, and it enables to increase the level of security.

See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin
See https://medium.com/@vladimirsitniko/dependency-verification-checksum-vs-pgp-582e76207019?sk=7485298b76eaf9f935b899b002f4c3b5

Relevant pull request is #1752

The idea behind the change is to add verification so the set of dependencies.
It is configured with checksum.xml file. The plugin prints detailed message in case of failure, and it generates updated checksum.xml file (its location is included to the message).

Here's sample failure (I removed the artifact from checksum.xml so it fails on "unknown" artifact):

Checksum/PGP violations detected on resolving configuration :docs:cas-server-documentation-swagger:testRuntimeClasspath
  No PGP signature (.asc file) found for artifact:
    org.springframework.plugin:spring-plugin-core:1.2.0.RELEASE (pgp=[], sha512=[FAA81F9DE0A459130BA53954F1592D95A7FA3F62F205EDD3CF96C2BE8FC35AAA7685F837EDCC9D359BCE401C7D1EECF17ABCC7408E506B490C6F2C344B6D9423])

You can find updated checksum.xml file at /Users/vladimirsitnikov/Documents/work/checksum/cas/checksum.xml.

Another sample: walleth/walleth#396 (comment)

Note: GPars is signed with 74DAFDFD6DAE2441, however it is not available on pulic key servers:
GPars/GPars#62
That is why 74DAFDFD6DAE2441 is added to ignored-keys for now.

Note: SpringFramework misses PGP keys, see spring-projects/spring-framework#23434

[welcome]

Thank you so much for opening your first pull request here!

[CLAassistant]

All committers have signed the CLA.

[vlsi]

Travis fails as follows:

https://travis-ci.org/apereo/cas/jobs/583054385#L777

> Checksum/PGP violations detected on resolving configuration :api:cas-server-core-api-authentication:testCompileClasspath
    Actual checksum is [39FE6A5EBD2AE2D33D8737C8407A8CAA4F6A62CE2057D726BB82496D35104B76F230BBB9721E1DB5F535FEFA3D70EE88C0A5A5E4A3F1266D7317CAE897AD0882], however expected one of [884761DD1B0E981D5FA60C5E02AC2AF1DE8C338451ECE2DE25CDBE33454598B4DED4FEA7AF6F7F6A2507BBB1F3E13552F2858FEB0F24838B18FDA017CE20994A]:
      net.minidev:accessors-smart:1.2 (pgp=[], sha512=[39FE6A5EBD2AE2D33D8737C8407A8CAA4F6A62CE2057D726BB82496D35104B76F230BBB9721E1DB5F535FEFA3D70EE88C0A5A5E4A3F1266D7317CAE897AD0882])
    Actual checksum is [977FFE05C17965B403A60471EB6C160103263BBE454E942D67D4D725E1826B504DE6C15038FF01EA90632BF9AD8A31B47C6662613BB905F020EFFA68C44D6F9A], however expected one of [2B8D7B3AD15A65F61395D5416863E268AA986009CC097249EE93896C11588FC5ADAEE0C2DA2F8A7779EDCDCA71AA8EC8296045C55085064B73744A5720E851AA]:
      net.minidev:json-smart:2.3 (pgp=[], sha512=[977FFE05C17965B403A60471EB6C160103263BBE454E942D67D4D725E1826B504DE6C15038FF01EA90632BF9AD8A31B47C6662613BB905F020EFFA68C44D6F9A])

It would be interesting to know why Travis resolves different json-smart jars.

Travis CI - Test and Deploy Your Code with Confidence

[vlsi]

It turns out checksum mismatch for net.minidev:json-smart was caused by the fact that my local Maven repository contained "manually built" file.

[stale]

This patch has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[stale]

This patch has been automatically closed because it has not had recent activity. If you wish to resume work, please re-open the pull request and continue as usual. Thank you for your contributions.