enable built-in gradle dependency verification

This fully replaces gradle-witness and goes far beyond what it offered. As far as I can tell, this actually will verify every single artifact that gradle downloads and uses. This was generated by first copying the existing one in fdroidclient, then running two passes to get both the PGP and the SHA256 info: ./gradlew --write-verification-metadata pgp,sha256 build --export-keys ./gradlew --write-verification-metadata sha256 build Thanks to @vlsi who made me aware of this, and helped make it possible. fdroid/fdroidclient!837
guardianproject · Apr 29, 2021 · e5d1cc6 · e5d1cc6 · vlsi · Apr 29, 2021
1 parent c3cd70d
commit e5d1cc6
Show file tree

Hide file tree

Showing 3 changed files with 3,337 additions and 2 deletions.
diff --git a/build.gradle b/build.gradle
@@ -2,7 +2,6 @@
 
 buildscript {
     repositories {
-        maven { url 'file:///usr/share/maven-repo' }
         mavenCentral()
         google()
     }
@@ -13,7 +12,6 @@ buildscript {
 
 allprojects {
     repositories {
-        maven { url 'file:///usr/share/maven-repo' }
         mavenCentral()
         google()
     }

diff --git a/gradle/verification-keyring.gpg b/gradle/verification-keyring.gpg