Add local keyring file Fetching remote keys can be quite expensive. In order to avoid lookups, this commits introduces the ability to use a local keyrings file, found alongside the verification metadata.
This file can either be generated using regular tools like GPG, or via command-line by adding the `--export-keys` flag when generating the verification metadata.
Allow signature verification file generation This commit adds the ability to generate a verification file which relies on PGP signature verification. With this mode, Gradle will download the signatures and verify them. Depending on the result of verification, Gradle will either:
- automatically add trusted keys if verification passed - automatically ignore keys if they couldn't be downloaded - automatically ignore keys if verification failed
If verification failed or that a key couldn't be downloaded, a WARNING will be issued to encourage the user to verify what happened.
In order to reduce the size of the verification file, Gradle will also automatically perform "normalization" of verifications by configuring globally trusted keys for artifacts which share the same group or a common super group.