Skip to content
Permalink
Browse files
8264010: Add Gradle dependency verification
Co-authored-by: Kevin Rushforth <kcr@openjdk.org>
Reviewed-by: kcr, jvos
  • Loading branch information
jgneff and kevinrushforth committed May 3, 2021
1 parent 7ec132c commit a9f6035c9c1d4dc60aa960498d8dbb5e52827017
Showing with 321 additions and 12 deletions.
  1. +26 −12 apps/samples/Ensemble8/UPDATING-lucene.txt
  2. +52 −0 gradle/README.txt
  3. +243 −0 gradle/verification-metadata.xml
@@ -1,28 +1,42 @@
To update to a new version of Lucene:

1. Change the version number in the following files:

build.gradle
apps/samples/.classpath
apps/samples/Ensemble8/build.gradle
apps/samples/Ensemble8/legal/lucene.md
apps/samples/Ensemble8/nbproject/project.properties
build.gradle

2. Update the Gradle dependency verification file
(gradle/verification-metadata.xml):

$ gradle --write-verification-metadata sha256 help

2. Do a clean build of apps:
Edit the file to remove the old Lucene dependencies and run the
command again to test your changes. For alternative ways to update
the file, see "Cleaning up the verification file" on the page:

gradle clean
gradle sdk apps
Verifying dependencies - Gradle User Guide
https://docs.gradle.org/current/userguide/dependency_verification.html

NOTE: if upgrading to a new major version there are usually compilation or runtime errors that need to be fixed.
3. Do a clean build of apps:

$ gradle clean
$ gradle sdk apps

3. Regenerate the index files. This step can be skipped if only the "bugfix" number (the third digit) of the release changes:
NOTE: If upgrading to a new major version, there are usually
compilation or runtime errors that need to be fixed.

$ cd apps/samples/Ensemble8
$ rm -rf src/generated/resources/ensemble/search/index
$ ant -Dplatforms.JDK_1.9.home=$JAVA_HOME clean ensemble-generate-search-index jar
$ rm src/generated/resources/ensemble/search/index/write.lock
$ git add --all src/generated/resources/ensemble/search/index
4. Regenerate the index files. This step can be skipped if only the
"bugfix" number (the third digit) of the release changes:

$ cd apps/samples/Ensemble8
$ rm -r src/generated/resources/ensemble/search/index
$ ant -Dplatforms.JDK_1.9.home=$JAVA_HOME \
clean ensemble-generate-search-index jar
$ rm src/generated/resources/ensemble/search/index/write.lock
$ git add --all src/generated/resources/ensemble/search/index

4. Test it by running Ensemble and entering text into the search box (upper right)
5. Test it by running Ensemble and entering text into the search box
(upper right).
@@ -0,0 +1,52 @@
For more information on the Gradle dependency verification file
(verification-metadata.xml), see the following page:

Verifying dependencies - Gradle User Guide
https://docs.gradle.org/current/userguide/dependency_verification.html

Recreate the dependency verification file as follows:

1. Remove the existing file on Linux.

$ rm gradle/verification-metadata.xml

2. Run the following command on Linux.

$ gradle -PCOMPILE_WEBKIT=true -PBUILD_LIBAV_STUBS=true \
--write-verification-metadata sha256 help

3. Copy the file on Linux to macOS and run the command again to pick up
the 'org.eclipse.swt.cocoa.macosx.x86_64' library.

4. Copy the file on macOS to Windows and run the command again to pick
up the 'org.eclipse.swt.win32.win32.x86_64' library. Convert the
newline format of the file back to single-character line feeds.

$ dos2unix gradle/verification-metadata.xml
dos2unix: converting file gradle/verification-metadata.xml to Unix format...

$ file gradle/verification-metadata.xml
gradle/verification-metadata.xml: XML 1.0 document, ASCII text

5. Use the file generated on Linux, macOS, and Windows in the Oracle
builds to pick up the internal tools and development kits in the
'javafx' component group.

6. Commit the final version of the file to the repository.

These commands will cause Gradle to compute the requested checksums
directly from the newly downloaded artifacts and add them to the file.

Optionally verify that the new checksums added to the file are correct.
The User Guide states, "However, if a dependency is compromised in
a repository, it's likely its checksum will be too, so it's a good
practice to get the checksum from a different place, usually the
website of the library itself." Even without this extra verification,
having the checksums in the default build allows for a distributed
consensus on their correct values and will report any discrepancies.

When upgrading an external dependency to a newer version, update the
dependency verification file in a similar manner. Edit the file to
remove the older dependencies no longer in use and run the commands
again to test your changes. For alternative ways to update the file,
see "Cleaning up the verification file" at the link above.
@@ -0,0 +1,243 @@
<?xml version="1.0" encoding="UTF-8"?>
<verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.0.xsd">
<configuration>
<verify-metadata>true</verify-metadata>
<verify-signatures>false</verify-signatures>
</configuration>
<components>
<component group="" name="ffmpeg-3.3.3" version="">
<artifact name="ffmpeg-3.3.3-.tar.gz">
<sha256 value="66000646f487496bc33cf0ab72ca1cd4c8bd52f295c45428ed69735925a2bf3c" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="ffmpeg-4.0.2" version="">
<artifact name="ffmpeg-4.0.2-.tar.gz">
<sha256 value="a56ef203c14ffab56b97690a1005522cfa0dc2c42c3c40c33c0bec4875b706eb" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="icu4c-68.2-data-bin-l" version="">
<artifact name="icu4c-68.2-data-bin-l-.zip">
<sha256 value="89e4022c14cdaec92e7fc8f7214412dd02c8010ccba26fcee7c9ae30fdfadcbc" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="libav-11.4" version="">
<artifact name="libav-11.4-.tar.gz">
<sha256 value="ce416632d4b62fbd1a667c4cbbd484eb5b5f058e15c5900fbec175d8b6865047" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="libav-12.1" version="">
<artifact name="libav-12.1-.tar.gz">
<sha256 value="f08d48bfd26097402d61f831e77effd53d0838fdeccb02ea85ec3c5d2a4527e1" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="libav-9.14" version="">
<artifact name="libav-9.14-.tar.gz">
<sha256 value="630203127f06b57b1156d5dd53b9c49daf33fab9157903aaac65a26bef6accbc" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="org.eclipse.swt.cocoa.macosx.x86_64_3.105.3.v20170228-0512" version="">
<artifact name="org.eclipse.swt.cocoa.macosx.x86_64_3.105.3.v20170228-0512-.jar">
<sha256 value="ff48e1c05fd5e3701b53fc9ac59a2745d61daf1484d9aa24dc2f79a74e381cf8" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="org.eclipse.swt.gtk.linux.x86_64_3.105.3.v20170228-0512" version="">
<artifact name="org.eclipse.swt.gtk.linux.x86_64_3.105.3.v20170228-0512-.jar">
<sha256 value="a963351d5f7b82b890c4994e158d80555dae38b00af3b8d73f3875c21ff398bc" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="" name="org.eclipse.swt.win32.win32.x86_64_3.105.3.v20170228-0512" version="">
<artifact name="org.eclipse.swt.win32.win32.x86_64_3.105.3.v20170228-0512-.jar">
<sha256 value="2be43498f3f91613ff865449ea8495d8e16b714f1f0564c276f56aa9e17ca2ea" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="com.ibm.icu" name="icu4j" version="61.1">
<artifact name="icu4j-61.1.jar">
<sha256 value="55c98eb1838b2a4bb9a07dc36bd378532d64d0cdcb7ceee914236866a7de4464" origin="Generated by Gradle"/>
</artifact>
<artifact name="icu4j-61.1.pom">
<sha256 value="13b87a4079ceb05515b19ac7a15203947075601d49423f719358a4980098056b" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="cmake-3.13.3-Darwin" version="x86_64.tar">
<artifact name="cmake-3.13.3-Darwin-x86_64.tar.gz">
<sha256 value="cee923ec7a88350f78dac06f0dfae5dec3c9cef331686acfd36ef7dd5aea84db" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="cmake-3.13.3-Linux" version="x86_64.tar">
<artifact name="cmake-3.13.3-Linux-x86_64.tar.gz">
<sha256 value="78227de38d574d4d19093399fd4b40a4fb0a76cbfc4249783a969652ce515270" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="cmake-3.13.3-win32" version="x86">
<artifact name="cmake-3.13.3-win32-x86.zip">
<sha256 value="1382a32494b49d0554268a6d4c321865ace7e66c9189323c4f43630f067cf135" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="devkit-linux_x64-gcc10.3.0" version="OL6.4+1.0.tar">
<artifact name="devkit-linux_x64-gcc10.3.0-OL6.4+1.0.tar.gz">
<sha256 value="7bef73db375a81dd8daf8a63ee4a1f8f06dd3a063b85115e84a0dd52da22dca9" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="devkit-macosx" version="Xcode12.4+1.0.tar">
<artifact name="devkit-macosx-Xcode12.4+1.0.tar.gz">
<sha256 value="bbaef3679622587fc7fd927327ccce8fbf813274a1eab868a066b3bcc50d64e4" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="devkit-windows_x64-VS2019" version="16.9.3+1.0.tar">
<artifact name="devkit-windows_x64-VS2019-16.9.3+1.0.tar.gz">
<sha256 value="270db89d7c58bc05c3a4e0a0057711f9d0aa228879c9ff38bb7a12cc1ee2c2cf" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="jfx-devkit-gcc" version="patch+1.1.tar">
<artifact name="jfx-devkit-gcc-patch+1.1.tar.gz">
<sha256 value="dbcbb0655093e1a1ad9fed4bc58bcfe0b5c9c204424ca58ecc3b87cdf8ee3e77" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="javafx" name="ninja" version="win">
<artifact name="ninja-win.zip">
<sha256 value="c80313e6c26c0b9e0c241504718e2d8bbc2798b73429933adf03fdc6d84f0e70" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="junit" name="junit" version="4.8.2">
<artifact name="junit-4.8.2.jar">
<sha256 value="a2aa2c3bb2b72da76c3e6a71531f1eefdc350494819baf2b1d80d7146e020f9e" origin="Generated by Gradle"/>
</artifact>
<artifact name="junit-4.8.2.pom">
<sha256 value="df39d34d1f5830b2d8a92790c66b5798358b0b3e01452dc85b3722a881ad923e" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="net.java" name="jvnet-parent" version="3">
<artifact name="jvnet-parent-3.pom">
<sha256 value="30f5789efa39ddbf96095aada3fc1260c4561faf2f714686717cb2dc5049475a" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.abego.treelayout" name="org.abego.treelayout.core" version="1.0.3">
<artifact name="org.abego.treelayout.core-1.0.3.jar">
<sha256 value="fa5e31395c39c2e7d46aca0f81f72060931607b2fa41bd36038eb2cb6fb93326" origin="Generated by Gradle"/>
</artifact>
<artifact name="org.abego.treelayout.core-1.0.3.pom">
<sha256 value="a3b2b223794370355e792433af012fc993667c0331be2bacad84dbc09ace4a0c" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="ST4" version="4.1">
<artifact name="ST4-4.1.jar">
<sha256 value="8b1ccaed9edc55cd255d9c19c4d8da4756d9b6fcb435671292b43470b16d75d8" origin="Generated by Gradle"/>
</artifact>
<artifact name="ST4-4.1.pom">
<sha256 value="733e6bd97ca34cc6df93a4243e511e5673cb9b88c74b18844e042a45d516987c" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr-master" version="3.5.2">
<artifact name="antlr-master-3.5.2.pom">
<sha256 value="42d91a531ea5100eb09b541aa002c3b908e8f282bd73b6e2f52f371ef1331bd6" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr-runtime" version="3.5.2">
<artifact name="antlr-runtime-3.5.2.jar">
<sha256 value="ce3fc8ecb10f39e9a3cddcbb2ce350d272d9cd3d0b1e18e6fe73c3b9389c8734" origin="Generated by Gradle"/>
</artifact>
<artifact name="antlr-runtime-3.5.2.pom">
<sha256 value="46a9c2200bb8b12bd7124aa7a5097ff49099908329c851a04cb2051420aa7f25" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr4" version="4.7.2">
<artifact name="antlr4-4.7.2-complete.jar">
<sha256 value="6852386d7975eff29171dae002cc223251510d35f291ae277948f381a7b380b4" origin="Generated by Gradle"/>
</artifact>
<artifact name="antlr4-4.7.2.pom">
<sha256 value="cf9eb36940fac44881038c1be3f2c58e06e68d1abfbfd4a68d34bbd8bac55771" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr4-master" version="4.7.2">
<artifact name="antlr4-master-4.7.2.pom">
<sha256 value="ba99cb25d2390f38680c7502842a0ee0959d1e6403e013ccff698fd5856eead1" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.antlr" name="antlr4-runtime" version="4.7.2">
<artifact name="antlr4-runtime-4.7.2.jar">
<sha256 value="4c518b87d4bdff8b44cd8cbc1af816e944b62a3fe5b80b781501cf1f4759bbc4" origin="Generated by Gradle"/>
</artifact>
<artifact name="antlr4-runtime-4.7.2.pom">
<sha256 value="dc09cba98c25d3c06e4aec516885d4c3af03062ba55f4fe6283fc9cf176a60fb" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache" name="apache" version="13">
<artifact name="apache-13.pom">
<sha256 value="ff513db0361fd41237bef4784968bc15aae478d4ec0a9496f811072ccaf3841d" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-core" version="7.7.3">
<artifact name="lucene-core-7.7.3.jar">
<sha256 value="8eb03335c1a3c6a8b188df74d761baa83569953582ab440b534c88449ea8e0de" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-core-7.7.3.pom">
<sha256 value="82f8a52281c6c8ba7974acbaac44b32d76e260082f3f4bbe165c0f6e4b89142a" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-grouping" version="7.7.3">
<artifact name="lucene-grouping-7.7.3.jar">
<sha256 value="2f5bcd63b25743d30c313986224d107f75c52938714954253510c57d3f67beb8" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-grouping-7.7.3.pom">
<sha256 value="1f04ad93e2044d408fd925eee0aea4b4a1ef8c07577b42667bb5360602822265" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-parent" version="7.7.3">
<artifact name="lucene-parent-7.7.3.pom">
<sha256 value="e8fadd53d5f004c40ddd235d438648e72c725599fee1543e5624d5fb50107305" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-queries" version="7.7.3">
<artifact name="lucene-queries-7.7.3.jar">
<sha256 value="3cb592db0a6e9569c6accbdb88a9ad7b1da7428dbca7921ad1c5a5865d5b4226" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-queries-7.7.3.pom">
<sha256 value="ae406c8a2bb0d764a594444279f4628a1976bd0941e79d42ce64e0987c589c50" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-queryparser" version="7.7.3">
<artifact name="lucene-queryparser-7.7.3.jar">
<sha256 value="1775c9fe8edd9686d3b7a647778fa44eaa96f1cc0c499315087133e1a9839e84" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-queryparser-7.7.3.pom">
<sha256 value="cf69259215ac7230b9fad60a5c89ca0e9f5b9baaccedd146958ffbe90f4eb0d2" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-sandbox" version="7.7.3">
<artifact name="lucene-sandbox-7.7.3.jar">
<sha256 value="55f1b7f09dae2b0cad321c34d15c3cfc59a0211be233f629d046c42bf17012b7" origin="Generated by Gradle"/>
</artifact>
<artifact name="lucene-sandbox-7.7.3.pom">
<sha256 value="d6f6ddc6ccf5c6fca6447d470f5049e1637ac637bf1db5ae0d5f1668fdf81222" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.apache.lucene" name="lucene-solr-grandparent" version="7.7.3">
<artifact name="lucene-solr-grandparent-7.7.3.pom">
<sha256 value="3a2837580ca76af36af7dfe2dc1d334fc6ff5f26d10f24899db7770ad7cfd9fe" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.glassfish" name="javax.json" version="1.0.4">
<artifact name="javax.json-1.0.4.jar">
<sha256 value="0e1dec40a1ede965941251eda968aeee052cc4f50378bc316cc48e8159bdbeb4" origin="Generated by Gradle"/>
</artifact>
<artifact name="javax.json-1.0.4.pom">
<sha256 value="6baf8383ffa98b66ea96cd5bfc1ec7f2d79463bb98ac98052964b121c2212d54" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.glassfish" name="json" version="1.0.4">
<artifact name="json-1.0.4.pom">
<sha256 value="6d7c68423115f921718d944f859924b4c685217ec03a49f70455a8b2caa972e6" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.sonatype.oss" name="oss-parent" version="7">
<artifact name="oss-parent-7.pom">
<sha256 value="b51f8867c92b6a722499557fc3a1fdea77bdf9ef574722fe90ce436a29559454" origin="Generated by Gradle"/>
</artifact>
</component>
<component group="org.sonatype.oss" name="oss-parent" version="9">
<artifact name="oss-parent-9.pom">
<sha256 value="fb40265f982548212ff82e362e59732b2187ec6f0d80182885c14ef1f982827a" origin="Generated by Gradle"/>
</artifact>
</component>
</components>
</verification-metadata>

1 comment on commit a9f6035

@openjdk-notifier

This comment has been minimized.

Copy link

@openjdk-notifier openjdk-notifier bot commented on a9f6035 May 3, 2021

Please sign in to comment.