Dependency verification does not find a verification-metadata entry on Android Studio sync

[asodja]

As reported in: #18498 (comment) by @liutikas:

Reproducer:
https://github.com/liutikas/gradle-bug-crash-android-studio-sync-kmp

When using Android Studio sync it can happen that Dependency verifier ignores some entries in verification-metadata.xml.

Failed building KotlinMPPGradleModel
org.gradle.api.internal.artifacts.verification.DependencyVerificationException: Dependency verification failed for junit:junit:4.12:
  - On artifact kotlin-test-junit-1.5.31.module (org.jetbrains.kotlin:kotlin-test-junit:1.5.31) in repository 'maven': checksum is missing from verification metadata.

If the artifacts are trustworthy, you will need to update the gradle/verification-metadata.xml file by following the instructions at https://docs.gradle.org/7.4-20211026220137+0000/userguide/dependency_verification.html#sec:troubleshooting-verification

These files failed verification:
  - GRADLE_USER_HOME/../../../../../../ssd/ssd1/temp/gradle-bug-crash-android-studio-sync/repo/org/jetbrains/kotlin/kotlin-test-junit/1.5.31/kotlin-test-junit-1.5.31.module

GRADLE_USER_HOME = /usr/local/google/home/aurimas/.gradle

These files failed verification:
  - GRADLE_USER_HOME/../../../../../../ssd/ssd1/temp/gradle-bug-crash-android-studio-sync/repo/org/jetbrains/kotlin/kotlin-test-junit/1.5.31/kotlin-test-junit-1.5.31.module

GRADLE_USER_HOME = /usr/local/google/home/aurimas/.gradle

Open this report for more details: file:///ssd/ssd1/temp/gradle-bug-crash-android-studio-sync/build/reports/dependency-verification/at-1635301289127/dependency-verification-report.html
	at org.gradle.api.internal.artifacts.ivyservice.ivyresolve.verification.ChecksumAndSignatureVerificationOverride.artifactsAccessed(ChecksumAndSignatureVerificationOverride.java:182)
	at org.gradle.api.internal.artifacts.ivyservice.ivyresolve.verification.ChecksumAndSignatureVerificationOverride$2.getFile(ChecksumAndSignatureVerificationOverride.java:200)
	at org.jetbrains.plugins.gradle.tooling.util.resolve.DependencyResolverImpl.resolveDependencies(DependencyResolverImpl.java:309)
	at org.jetbrains.plugins.gradle.tooling.util.resolve.DependencyResolverImpl.resolveDependencies(DependencyResolverImpl.java:120)
	at org.jetbrains.kotlin.gradle.KotlinMPPGradleModelBuilder.buildDependencies(KotlinMPPGradleModelBuilder.kt:229)
	at org.jetbrains.kotlin.gradle.KotlinMPPGradleModelBuilder.buildSourceSetDependencies(KotlinMPPGradleModelBuilder.kt:650)
	at org.jetbrains.kotlin.gradle.KotlinMPPGradleModelBuilder.access$buildSourceSetDependencies(KotlinMPPGradleModelBuilder.kt:39)
	at org.jetbrains.kotlin.gradle.KotlinMPPGradleModelBuilder$buildSourceSet$sourceSetDependenciesBuilder$1.invoke(KotlinMPPGradleModelBuilder.kt:173)
	at org.jetbrains.kotlin.gradle.KotlinMPPGradleModelBuilder$buildSourceSet$sourceSetDependenciesBuilder$1.invoke(KotlinMPPGradleModelBuilder.kt:39)
	at org.jetbrains.kotlin.gradle.KotlinSourceSetProto.buildKotlinSourceSetImpl(KotlinMPPGradleModelImpl.kt:27)
	at org.jetbrains.kotlin.gradle.KotlinMPPGradleModelBuilder.buildSourceSets(KotlinMPPGradleModelBuilder.kt:128)
	at org.jetbrains.kotlin.gradle.KotlinMPPGradleModelBuilder.buildAll(KotlinMPPGradleModelBuilder.kt:57)
...

The problem seems to be that DependencyVerifier.verificationMetadata has key ComponentIdentifier but Android Studio/IntelliJ can inject it's own ComponentIdentifier implementation so comparison methods (hashcode/equals) are different: