Fix verification of dependencies resolved in buildFinished Previously it was possible that a user hook (buildFinished) was executed _after_ the verification code was done. With this commit this is no longer possible.
Allow signature verification file generation This commit adds the ability to generate a verification file which relies on PGP signature verification. With this mode, Gradle will download the signatures and verify them. Depending on the result of verification, Gradle will either:
- automatically add trusted keys if verification passed - automatically ignore keys if they couldn't be downloaded - automatically ignore keys if verification failed
If verification failed or that a key couldn't be downloaded, a WARNING will be issued to encourage the user to verify what happened.
In order to reduce the size of the verification file, Gradle will also automatically perform "normalization" of verifications by configuring globally trusted keys for artifacts which share the same group or a common super group.