enable built-in gradle dependency verification

This fully replaces gradle-witness and goes far beyond what it offered. As far as I can tell, this actually will verify every single artifact that gradle downloads and uses. This was generated in two passes to get both the PGP and the SHA256 info: ``` ./gradlew --write-verification-metadata pgp,sha256 build connectedFullDebugAndroidTest --export-keys ./gradlew --write-verification-metadata sha256 build connectedFullDebugAndroidTest ``` Thanks to @vlsi who made me aware of this, and helped make it possible. closes !837
3 years ago · be5bdf3219
parent dc93686926
commit be5bdf3219
4 changed files with 2581 additions and 1 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+*.gpg           binary
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -53,7 +53,7 @@ errorprone:
  stage: test
  script:
    - cat config/errorprone.gradle >> app/build.gradle
-    - ./gradlew assembleDebug
+    - ./gradlew -Dorg.gradle.dependency.verification=lenient assembleDebug

 # once these prove stable, the task should be switched to
 # connectedCheck to test all the build flavors
--- a/gradle/verification-keyring.gpg
+++ b/gradle/verification-keyring.gpg
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml