enable built-in gradle dependency verification

This fully replaces gradle-witness and goes far beyond what it offered. As
far as I can tell, this actually will verify every single artifact that
gradle downloads and uses.

This was generated in two passes to get both the PGP and the SHA256 info:

```
./gradlew --write-verification-metadata pgp,sha256 build connectedFullDebugAndroidTest --export-keys
./gradlew --write-verification-metadata sha256 build connectedFullDebugAndroidTest
```

Thanks to  @vlsi who made me aware of this, and helped make it possible.
closes !837
This commit is contained in:
Hans-Christoph Steiner 2020-07-16 11:00:11 +02:00
parent dc93686926
commit be5bdf3219
No known key found for this signature in database
GPG Key ID: 3E177817BA1B9BFA
4 changed files with 2581 additions and 1 deletions

1
.gitattributes vendored Normal file
View File

@ -0,0 +1 @@
*.gpg binary

View File

@ -53,7 +53,7 @@ errorprone:
stage: test
script:
- cat config/errorprone.gradle >> app/build.gradle
- ./gradlew assembleDebug
- ./gradlew -Dorg.gradle.dependency.verification=lenient assembleDebug
# once these prove stable, the task should be switched to
# connectedCheck to test all the build flavors

Binary file not shown.

File diff suppressed because it is too large Load Diff