Clone
Cédric Champeau
committed
on 20 Nov 19
Add dependency checksum verification
This commit introduces dependency checksum verification.
If, and only if, a dependency verification met… Show more
Add dependency checksum verification

This commit introduces dependency checksum verification.

If, and only if, a dependency verification metadata file

is present, then Gradle will load this metadata and use

it as the "source of truth" for dependency checksums.

Verification occurs whenever a file is accessed, so it

doesn't matter if the file comes from the local cache

or if it was downloaded in the current build.

Gradle performs all verifications during the build and

fails at the end of the build, similarly to the behavior

for "write dependency verification metadata".

This allows collecting as much information as possible

regarding, typically, the missing checksums, which can

be painful during dependency upgrades.

If a dependency verification file contains multiple

checksums, then _all_ checksums are verified. This is to

avoid the case where one of the checksums is wrong but

not the other, and can be used to further secure verification:

often we only see MD5 and SHA1 checksums. While both can be

baked, it's much harder to bake a dependency which will have

both the same MD5 and SHA1 checksums.

Closes #11399

Closes #4934

Show less

green-master + 170 more