Commit Graph

1 Commits

Author SHA1 Message Date
Přemek Vyhnal
17d109a15e
replace witness plugin with gradle dependency checksum verification (#223)
* replace witness plugin with gradle builtin dependency checksum verification

I noticed that a recent dependency change didn't needed checksum change. It was because the witness plugin only checked the listed checksums, not all the dependencies. If the dependency was not on the list, the new checksum was not verified.

Gradle now has its own verification mechanism, see https://docs.gradle.org/current/userguide/dependency_verification.html

After a dependency is added or a version is changed, the checksums could be regenerated using the following command.

```
gradle --write-verification-metadata sha256 help
````

 The help task is just used to discover as much as possible dependencies, and if subsequent builds fail with a verification error, you can re-execute generation with the appropriate tasks to "discover" more dependencies

 I verified that all the checksums from the removed file are present in the new one.

jcenter repository (used only for gradle shadow plugin) is replaced with gradlePluginPortal. jcenter is shutting down anyway and the checksums for shadow plugin and its dependencies were not added automatically to the xml file for some reason.

* add javadoc and source as trusted artifacts

Co-authored-by: woodser <woodser@protonmail.com>
2022-02-06 11:36:58 -05:00