Gradle dependency checksum and signature checks #252
Conversation
AndyScherzinger
force-pushed
the
chore/noid/dependencyChecksums
branch
2 times, most recently
from
564bce1 to
514fc27
Compare
|
Slightly Off Topic: I am currently using the |
AndyScherzinger
force-pushed
the
chore/noid/dependencyChecksums
branch
from
514fc27 to
aae613a
Compare
|
@stefan-niedermann we do so too on Android repos - like this one - https://github.com/nextcloud/android-common/blob/main/.github/workflows/gradle-wrapper-validation.yml |
AndyScherzinger
changed the title
|
Aah, it's a separate workflow, that's why I missed it 🙈 |
AndyScherzinger
force-pushed
the
chore/noid/dependencyChecksums
branch
3 times, most recently
from
07babab to
a071e31
Compare
|
Fun stuff.... getting the checks to turn green is a major pain - as expected since metadata quality on libraries / dependency management are rather poor, especially for Android / Google artifacts. I'll keep working on it but might keep going for the approach to put them on a trusted list because there is no way for my to maintain checksums manually because they aren't available anywhere :( |
AndyScherzinger
force-pushed
the
chore/noid/dependencyChecksums
branch
8 times, most recently
from
6172eba to
5e09d9e
Compare
Signed-off-by: Andy Scherzinger <[email protected]>
AndyScherzinger
force-pushed
the
chore/noid/dependencyChecksums
branch
from
5e09d9e to
060b2a8
Compare
| <configuration> | ||
| <verify-metadata>true</verify-metadata> | ||
| <verify-signatures>true</verify-signatures> | ||
| <trusted-artifacts> |
There was a problem hiding this comment.
some artifacts, thanks Google can't be verified, so put them in a trusted list
| <trust group="org.jetbrains.kotlin" name="kotlin-stdlib-common" version="1.9.0" reason="Broken: artifact was signed but all keys were ignored, checksum is missing from verification metadata"/> | ||
| </trusted-artifacts> | ||
| <ignored-keys> | ||
| <ignored-key id="a41f13c999945293" reason="Key couldn't be downloaded from any key server"/> |
There was a problem hiding this comment.
some keys aren't available via any dependency repo, so they will get added to an ignore list automatically
| <ignored-key id="5f69ad087600b22c" reason="Key couldn't be downloaded from any key server"/> | ||
| </ignored-keys> | ||
| <trusted-keys> | ||
| <trusted-key id="015479e1055341431b4545ab72475fd306b9cab7" group="com.googlecode.javaewah" name="JavaEWAH" version="1.2.3"/> |
There was a problem hiding this comment.
same for found keys, they will be added to a trusted list
Adding checksums to Android repos like
android-commonfor gradle based build toolchain, see https://docs.gradle.org/current/userguide/dependency_verification.html.In order to do so, one must:
org.gradle.dependency.verification.console=verbosetogradle.propertiesso future CI runs would provide the info in case the HTML report isn't accessible./gradlew --write-verification-metadata pgp,sha256 help./gradlew :sample:generateDebugLintReportModel --write-verification-metadata pgp,sha256 help./gradlew :core:spotlessKotlinCheck --write-verification-metadata pgp,sha256 help./gradlew --export-keys./gradlew :sample:generateDebugLintReportModel --export-keys./gradlew :core:spotlessKotlinCheck --export-keysverification-keyring.keysbut not the binary very so git is able to diff the key changes. not executing the last command and commiting its results leads to the GH action trying to download the keys, this slows down the execution and leads to red checks since it'll fail for many keys, hence shipping them in the repo it the best option.A next step will have to be to move to renovatebot which is capable of update checksums when updating dependencies, see https://docs.renovatebot.com/modules/manager/gradle/
Note