[guardian-dev] Gradle Wrapper + Gradle Witness

Dominik Schuermann dominik at dominikschuermann.de
Thu Apr 30 07:04:35 EDT 2015


Hey,

posting this here, because it may be relevant for these projects.

At Openkeychain we are using Gradle Witness [0] to verify the depdencies
from Maven.
I noticed that there is still a dependency that is not verified: The
gradle distribution itself. It is downloaded via a gradle wrapper that
is part of the repositories (normally at gradle/wrapper/gradle-wrapper.jar).
I now implemented SHA-256 sum verfication for it in my fork [1] and did
a pull request [2] to the main gradle repo. Maybe you guys are already
interested in using it before it is merged. It is also a good
opportunity to build the gradle-wrapper.jar yourself from source...

1. Get source from https://github.com/sufficientlysecure/gradle
2. Build it and get wrapper from
subprojects/wrapper/build/libs/gradle-wrapper.jar
3. Use it like
https://github.com/open-keychain/open-keychain/commit/41968206d3deed789dd5b35468a8d8487755234c

Regards
Dominik


[0] https://github.com/WhisperSystems/gradle-witness
[1] https://github.com/sufficientlysecure/gradle
[2] https://github.com/gradle/gradle/pull/448


More information about the guardian-dev mailing list