Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fix ignored keys not written for failed verifications

In order to generate a file which can _immediately_ be used

despite verification failures (because we fallback on checksum

verification), we need to add the ignored keys at the artifact

level.

    • -0
    • +3
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 1 more file in changeset.
Fix ignored keys not written for failed verifications

In order to generate a file which can _immediately_ be used

despite verification failures (because we fallback on checksum

verification), we need to add the ignored keys at the artifact

level.

    • -0
    • +3
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 1 more file in changeset.
Add local keyring file

Fetching remote keys can be quite expensive. In order to avoid lookups,

this commits introduces the ability to use a local keyrings file, found

alongside the verification metadata.

This file can either be generated using regular tools like GPG, or via

command-line by adding the `--export-keys` flag when generating the

verification metadata.

    • -0
    • +34
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
    • -0
    • +56
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 18 more files in changeset.
Add local keyring file

Fetching remote keys can be quite expensive. In order to avoid lookups,

this commits introduces the ability to use a local keyrings file, found

alongside the verification metadata.

This file can either be generated using regular tools like GPG, or via

command-line by adding the `--export-keys` flag when generating the

verification metadata.

    • -0
    • +34
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
    • -0
    • +56
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 18 more files in changeset.
Add local keyring file

Fetching remote keys can be quite expensive. In order to avoid lookups,

this commits introduces the ability to use a local keyrings file, found

alongside the verification metadata.

This file can either be generated using regular tools like GPG, or via

command-line by adding the `--export-keys` flag when generating the

verification metadata.

    • -0
    • +34
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
    • -0
    • +56
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 18 more files in changeset.
Add local keyring file

Fetching remote keys can be quite expensive. In order to avoid lookups,

this commits introduces the ability to use a local keyrings file, found

alongside the verification metadata.

This file can either be generated using regular tools like GPG, or via

command-line by adding the `--export-keys` flag when generating the

verification metadata.

    • -0
    • +34
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
    • -0
    • +56
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 18 more files in changeset.
Add local keyring file

Fetching remote keys can be quite expensive. In order to avoid lookups,

this commits introduces the ability to use a local keyrings file, found

alongside the verification metadata.

This file can either be generated using regular tools like GPG, or via

command-line by adding the `--export-keys` flag when generating the

verification metadata.

    • -0
    • +34
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
    • -0
    • +56
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 18 more files in changeset.
Add local keyring file

Fetching remote keys can be quite expensive. In order to avoid lookups,

this commits introduces the ability to use a local keyrings file, found

alongside the verification metadata.

This file can either be generated using regular tools like GPG, or via

command-line by adding the `--export-keys` flag when generating the

verification metadata.

    • -0
    • +34
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
    • -0
    • +56
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
  1. … 18 more files in changeset.
Add information about the source repository in errors

    • -23
    • +58
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -37
    • +37
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 4 more files in changeset.
Add information about the source repository in errors

    • -23
    • +58
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -37
    • +37
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 4 more files in changeset.
Add information about the source repository in errors

    • -23
    • +58
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -37
    • +37
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 4 more files in changeset.
Add information about the source repository in errors

    • -23
    • +58
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -37
    • +37
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 4 more files in changeset.
Further improve error reporting for dependency verification

This commit improves error reporting by making it more

explicit when we fallback to checksum verification.

    • -18
    • +18
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -20
    • +26
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 9 more files in changeset.
Further improve error reporting for dependency verification

This commit improves error reporting by making it more

explicit when we fallback to checksum verification.

    • -18
    • +18
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -20
    • +26
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 9 more files in changeset.
Further improve error reporting for dependency verification

This commit improves error reporting by making it more

explicit when we fallback to checksum verification.

    • -18
    • +18
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -20
    • +26
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 9 more files in changeset.
Further improve error reporting for dependency verification

This commit improves error reporting by making it more

explicit when we fallback to checksum verification.

    • -18
    • +18
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -20
    • +26
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 9 more files in changeset.
Further improve error reporting for dependency verification

This commit improves error reporting by making it more

explicit when we fallback to checksum verification.

    • -18
    • +18
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
    • -20
    • +26
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 9 more files in changeset.
Rename short options as they are incorrectly supported

    • -3
    • +3
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
  1. … 1 more file in changeset.
Rename short options as they are incorrectly supported

    • -3
    • +3
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
  1. … 1 more file in changeset.
Rename short options as they are incorrectly supported

    • -3
    • +3
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
  1. … 1 more file in changeset.
Rename short options as they are incorrectly supported

    • -3
    • +3
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
  1. … 1 more file in changeset.
Rename short options as they are incorrectly supported

    • -3
    • +3
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
  1. … 1 more file in changeset.
Rename short options as they are incorrectly supported

    • -1
    • +1
    ./resolve/verification/DependencyVerificationIntegrityCheckIntegTest.groovy
  1. … 1 more file in changeset.
Allow signature verification file generation

This commit adds the ability to generate a verification file which relies

on PGP signature verification. With this mode, Gradle will download the

signatures and verify them. Depending on the result of verification,

Gradle will either:

- automatically add trusted keys if verification passed

- automatically ignore keys if they couldn't be downloaded

- automatically ignore keys if verification failed

If verification failed or that a key couldn't be downloaded, a

WARNING will be issued to encourage the user to verify what

happened.

In order to reduce the size of the verification file, Gradle will

also automatically perform "normalization" of verifications by

configuring globally trusted keys for artifacts which share the same

group or a common super group.

    • -0
    • +168
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
    • -2
    • +2
    ./resolve/verification/DependencyVerificationWritingIntegTest.groovy
  1. … 19 more files in changeset.
Allow signature verification file generation

This commit adds the ability to generate a verification file which relies

on PGP signature verification. With this mode, Gradle will download the

signatures and verify them. Depending on the result of verification,

Gradle will either:

- automatically add trusted keys if verification passed

- automatically ignore keys if they couldn't be downloaded

- automatically ignore keys if verification failed

If verification failed or that a key couldn't be downloaded, a

WARNING will be issued to encourage the user to verify what

happened.

In order to reduce the size of the verification file, Gradle will

also automatically perform "normalization" of verifications by

configuring globally trusted keys for artifacts which share the same

group or a common super group.

    • -0
    • +5
    ./resolve/verification/AbstractSignatureVerificationIntegrationTest.groovy
    • -0
    • +271
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
    • -2
    • +2
    ./resolve/verification/DependencyVerificationWritingIntegTest.groovy
  1. … 20 more files in changeset.
Allow signature verification file generation

This commit adds the ability to generate a verification file which relies

on PGP signature verification. With this mode, Gradle will download the

signatures and verify them. Depending on the result of verification,

Gradle will either:

- automatically add trusted keys if verification passed

- automatically ignore keys if they couldn't be downloaded

- automatically ignore keys if verification failed

If verification failed or that a key couldn't be downloaded, a

WARNING will be issued to encourage the user to verify what

happened.

In order to reduce the size of the verification file, Gradle will

also automatically perform "normalization" of verifications by

configuring globally trusted keys for artifacts which share the same

group or a common super group.

    • -0
    • +5
    ./resolve/verification/AbstractSignatureVerificationIntegrationTest.groovy
    • -0
    • +271
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
    • -2
    • +2
    ./resolve/verification/DependencyVerificationWritingIntegTest.groovy
  1. … 20 more files in changeset.
Allow signature verification file generation

This commit adds the ability to generate a verification file which relies

on PGP signature verification. With this mode, Gradle will download the

signatures and verify them. Depending on the result of verification,

Gradle will either:

- automatically add trusted keys if verification passed

- automatically ignore keys if they couldn't be downloaded

- automatically ignore keys if verification failed

If verification failed or that a key couldn't be downloaded, a

WARNING will be issued to encourage the user to verify what

happened.

In order to reduce the size of the verification file, Gradle will

also automatically perform "normalization" of verifications by

configuring globally trusted keys for artifacts which share the same

group or a common super group.

    • -0
    • +5
    ./resolve/verification/AbstractSignatureVerificationIntegrationTest.groovy
    • -0
    • +271
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
    • -2
    • +2
    ./resolve/verification/DependencyVerificationWritingIntegTest.groovy
  1. … 20 more files in changeset.
Allow signature verification file generation

This commit adds the ability to generate a verification file which relies

on PGP signature verification. With this mode, Gradle will download the

signatures and verify them. Depending on the result of verification,

Gradle will either:

- automatically add trusted keys if verification passed

- automatically ignore keys if they couldn't be downloaded

- automatically ignore keys if verification failed

If verification failed or that a key couldn't be downloaded, a

WARNING will be issued to encourage the user to verify what

happened.

In order to reduce the size of the verification file, Gradle will

also automatically perform "normalization" of verifications by

configuring globally trusted keys for artifacts which share the same

group or a common super group.

    • -0
    • +5
    ./resolve/verification/AbstractSignatureVerificationIntegrationTest.groovy
    • -0
    • +271
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
    • -2
    • +2
    ./resolve/verification/DependencyVerificationWritingIntegTest.groovy
  1. … 20 more files in changeset.
Allow signature verification file generation

This commit adds the ability to generate a verification file which relies

on PGP signature verification. With this mode, Gradle will download the

signatures and verify them. Depending on the result of verification,

Gradle will either:

- automatically add trusted keys if verification passed

- automatically ignore keys if they couldn't be downloaded

- automatically ignore keys if verification failed

If verification failed or that a key couldn't be downloaded, a

WARNING will be issued to encourage the user to verify what

happened.

In order to reduce the size of the verification file, Gradle will

also automatically perform "normalization" of verifications by

configuring globally trusted keys for artifacts which share the same

group or a common super group.

    • -0
    • +5
    ./resolve/verification/AbstractSignatureVerificationIntegrationTest.groovy
    • -0
    • +228
    ./resolve/verification/DependencyVerificationSignatureWriteIntegTest.groovy
    • -2
    • +2
    ./resolve/verification/DependencyVerificationWritingIntegTest.groovy
  1. … 20 more files in changeset.
Add ability to ignore keys for a specific artifact

The use case for this is whenever signature for an artifact fails, but

for some reason the user still trusts the artifact. For example, a POM

file is different between different repositories because it happened

to be published twice with different timestamps.

In this case it is recommended to ignore the signature, however we

_will_ fallback on checksum verification.

    • -3
    • +41
    ./resolve/verification/DependencyVerificationSignatureCheckIntegTest.groovy
  1. … 13 more files in changeset.