New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add checksum-dependency-plugin for verification of plugin/dependency checksums #396
Conversation
Thanks - this looks really good - much appreciated! Will most likely merge - I just need to read up a bit more on the used plugin before merging. But what I see currently it looks like an improvement - thanks! |
Nice. Feel free to ping me or file an issue at https://github.com/vlsi/vlsi-release-plugins/issues |
@vlsi one question: what is the process when updating dependencies with this plugin? Also currently having this strange effect after updating kotlin to 1.3.50:
Do you know what happened there? I doubt jetbrains changed their PGP key for this release. |
Does https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin#updating-dependencies answer your question? Technically speaking, the plugin saves the updated file as Frankly speaking I refrained from adding that to prevent people from blindly using |
I think JetBrains indeed used a different key to publish 1.3.50. |
Thanks so much for the insight. Facing the following problem now:
this happens on the unmodified version of this PR. Perhaps it is only a problem on linux? Unfortunately my build-servers run on linux and I cannot merge the PR without the agreement of the CI |
@ligi , unfortunately, there's no generic way to ask Gradle to resolve "all the dependencies the project would ever require". For CI configuration I suggest you add That would make your CI to collect all the violations and print the updated Feel free to force-push the updates to |
Thanks! I did this - but afterwards I end up with:
|
By default the plugin fails on the first violation. So it is expected it might fail multiple times provided you add dependencies one by one. As build output suggests, |
…checksums `checksum-dependency-plugin` is a superset of `gradle-witness`, and it enables to increase the level of security. See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin fixes walleth#395
Thanks! Should not have done this on the road - but was excited about this PR - now at home on my desk everything works like a charm - the problem was the isCI flag that dragged in different dependencies. |
checksum-dependency-plugin
is a superset ofgradle-witness
, and it enables to increase the level of security.See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin
fixes #395
Note: I have not removed
gradle-witness
, however it becomes obsolete.Note:
<trust-requirement pgp='MODULE' checksum='MODULE' />
could be used to verify checksum always. Current configuration (pgp=GROUP checksum=NONE) uses PGP when available, and resorts to checksum when PGP is missing.