DependencyVerificationSignatureCheckIntegTest.groovy

Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Annotate tests to account for new reported problems

Signed-off-by: Paul Merlin <paul@gradle.com>

    • -21
    • +0
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 48 more files in changeset.
Annotate tests to account for new reported problems

Signed-off-by: Paul Merlin <paul@gradle.com>

    • -21
    • +0
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 48 more files in changeset.
Annotate tests to account for new reported problems

Signed-off-by: Paul Merlin <paul@gradle.com>

    • -21
    • +0
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 49 more files in changeset.
Annotate tests to account for new reported problems

Signed-off-by: Paul Merlin <paul@gradle.com>

    • -21
    • +0
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 49 more files in changeset.
Annotate tests to account for new reported problems

Signed-off-by: Paul Merlin <paul@gradle.com>

    • -21
    • +0
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 49 more files in changeset.
Fix a number of review comments

    • -38
    • +110
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 15 more files in changeset.
Fix a number of review comments

    • -38
    • +110
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 15 more files in changeset.
Introduce a terse console output for verification failures

This commit switches from a verbose console output when

dependency verification errors occur, to a terse version

which basically only links to the rich report.

It's still possible to use the verbose output by configuring

the build with the Gradle `org.gradle.dependency.verification.console`

property (usual places apply).

    • -36
    • +181
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 12 more files in changeset.
Introduce a terse console output for verification failures

This commit switches from a verbose console output when

dependency verification errors occur, to a terse version

which basically only links to the rich report.

It's still possible to use the verbose output by configuring

the build with the Gradle `org.gradle.dependency.verification.console`

property (usual places apply).

    • -36
    • +181
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 12 more files in changeset.
Introduce a terse console output for verification failures

This commit switches from a verbose console output when

dependency verification errors occur, to a terse version

which basically only links to the rich report.

It's still possible to use the verbose output by configuring

the build with the Gradle `org.gradle.dependency.verification.console`

property (usual places apply).

    • -36
    • +181
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 12 more files in changeset.
Fix Unrolled tests with partial success with instant execution

Signed-off-by: Paul Merlin <paul@gradle.com>

    • -1
    • +4
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 18 more files in changeset.
Performance optimization for verification

Dependency verification may produce a number of

verification events which are only relevant if,

eventually, a fatal verification failure occurs.

If it's not the case, there will not be any

verification failure, therefore it's unnecessary

to perform formatting of an error message.

Previously, we would always check for verification

failures even if, in the end, there would only

be non fatal ones, which slows down IDE syncing.

    • -2
    • +16
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 2 more files in changeset.
Performance optimization for verification

Dependency verification may produce a number of

verification events which are only relevant if,

eventually, a fatal verification failure occurs.

If it's not the case, there will not be any

verification failure, therefore it's unnecessary

to perform formatting of an error message.

Previously, we would always check for verification

failures even if, in the end, there would only

be non fatal ones, which slows down IDE syncing.

    • -2
    • +16
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 2 more files in changeset.
Performance optimization for verification

Dependency verification may produce a number of

verification events which are only relevant if,

eventually, a fatal verification failure occurs.

If it's not the case, there will not be any

verification failure, therefore it's unnecessary

to perform formatting of an error message.

Previously, we would always check for verification

failures even if, in the end, there would only

be non fatal ones, which slows down IDE syncing.

    • -2
    • +16
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 2 more files in changeset.
Tweak error messages

    • -7
    • +7
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 3 more files in changeset.
Make some error messages clearer

    • -7
    • +7
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 4 more files in changeset.
Make some error messages clearer

    • -7
    • +7
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 4 more files in changeset.
Fix verification of dependencies resolved in buildFinished

Previously it was possible that a user hook (buildFinished)

was executed _after_ the verification code was done. With

this commit this is no longer possible.

    • -0
    • +36
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 10 more files in changeset.
Fix verification of dependencies resolved in buildFinished

Previously it was possible that a user hook (buildFinished)

was executed _after_ the verification code was done. With

this commit this is no longer possible.

    • -0
    • +36
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 7 more files in changeset.
Fix verification of dependencies resolved in buildFinished

Previously it was possible that a user hook (buildFinished)

was executed _after_ the verification code was done. With

this commit this is no longer possible.

    • -0
    • +36
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 10 more files in changeset.
Add support for key fingerprints

In order to provide maximum security, it's now possible to use full key

fingerprints, in addition to long (64-bit) key ids, in trusted or ignored

keys.

It doesn't matter what format is used: if a trusted key uses a long id,

then it's possible that if there's a key collision, an artifact would be

trusted even if it shouldn't. If a fingerprint is used instead, then we

would use the full fingerprint for verification.

It's worth nothing that PGP doesn't provide the full fingerprint in signatures

for the key issuer. This means that when we're going to download keys, we

will still use the long ids.

Fixes #11770

    • -23
    • +131
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 19 more files in changeset.
Add support for key fingerprints

In order to provide maximum security, it's now possible to use full key

fingerprints, in addition to long (64-bit) key ids, in trusted or ignored

keys.

It doesn't matter what format is used: if a trusted key uses a long id,

then it's possible that if there's a key collision, an artifact would be

trusted even if it shouldn't. If a fingerprint is used instead, then we

would use the full fingerprint for verification.

It's worth nothing that PGP doesn't provide the full fingerprint in signatures

for the key issuer. This means that when we're going to download keys, we

will still use the long ids.

Fixes #11770

    • -23
    • +131
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 19 more files in changeset.
Add ignore key test coverage and bump wrapper

    • -0
    • +75
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 1 more file in changeset.
Add ignore key test coverage and bump wrapper

    • -0
    • +75
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 1 more file in changeset.
Verify checksums for artifacts which declare them even if signature passes

This is done because signatures are done on the hash of artifacts and

not on the artifact contents itself, so if you want to ensure both

integrity and provenance, you need to check both.

    • -0
    • +33
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 1 more file in changeset.
Verify checksums for artifacts which declare them even if signature passes

This is done because signatures are done on the hash of artifacts and

not on the artifact contents itself, so if you want to ensure both

integrity and provenance, you need to check both.

    • -0
    • +33
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 1 more file in changeset.
Verify checksums for artifacts which declare them even if signature passes

This is done because signatures are done on the hash of artifacts and

not on the artifact contents itself, so if you want to ensure both

integrity and provenance, you need to check both.

    • -0
    • +33
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 1 more file in changeset.
Add information about paths to dependencies when failing verification

When dependency verification fails, it's often necessary to actually

look at the artifacts which were downloaded. Gradle will not display

the paths to the artifacts which were involved in a verification

failure, so that the user can check if they are the ones they expect

or something else.

This also gives the ability to actually delete the file from the

local cache if it makes sense.

    • -0
    • +17
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 13 more files in changeset.
Add information about paths to dependencies when failing verification

When dependency verification fails, it's often necessary to actually

look at the artifacts which were downloaded. Gradle will not display

the paths to the artifacts which were involved in a verification

failure, so that the user can check if they are the ones they expect

or something else.

This also gives the ability to actually delete the file from the

local cache if it makes sense.

    • -0
    • +17
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 13 more files in changeset.
Add information about paths to dependencies when failing verification

When dependency verification fails, it's often necessary to actually

look at the artifacts which were downloaded. Gradle will not display

the paths to the artifacts which were involved in a verification

failure, so that the user can check if they are the ones they expect

or something else.

This also gives the ability to actually delete the file from the

local cache if it makes sense.

    • -0
    • +17
    ./DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 13 more files in changeset.