Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fix use of schema location

The code was using `xmlns` instead of `xsi`

    • -1
    • +1
    ./DependencyVerificationsXmlWriter.java
  1. … 5 more files in changeset.
Fix use of schema location

The code was using `xmlns` instead of `xsi`

    • -1
    • +1
    ./DependencyVerificationsXmlWriter.java
  1. … 5 more files in changeset.
Make dependency verification XSD more explicit

By using `dependency-verification` in the URL and file

name.

    • -1
    • +1
    ./DependencyVerificationsXmlWriter.java
  1. … 4 more files in changeset.
Make dependency verification XSD more explicit

By using `dependency-verification` in the URL and file

name.

    • -2
    • +2
    ./DependencyVerificationsXmlWriter.java
  1. … 4 more files in changeset.
Make dependency verification XSD more explicit

By using `dependency-verification` in the URL and file

name.

    • -2
    • +2
    ./DependencyVerificationsXmlWriter.java
  1. … 4 more files in changeset.
Add an XML schema for the verification file

    • -0
    • +3
    ./DependencyVerificationsXmlWriter.java
  1. … 4 more files in changeset.
Add an XML schema for the verification file

    • -0
    • +3
    ./DependencyVerificationsXmlWriter.java
  1. … 4 more files in changeset.
Add an XML schema for the verification file

    • -0
    • +3
    ./DependencyVerificationsXmlWriter.java
  1. … 4 more files in changeset.
Regroup trusted keys for readability

If a single key is trusted multiple times for different artifacts, we

now regroup the artifact coordinates under the `trusted-key` tag.

    • -8
    • +31
    ./DependencyVerificationsXmlReader.java
    • -6
    • +30
    ./DependencyVerificationsXmlWriter.java
  1. … 2 more files in changeset.
Regroup trusted keys for readability

If a single key is trusted multiple times for different artifacts, we

now regroup the artifact coordinates under the `trusted-key` tag.

    • -8
    • +31
    ./DependencyVerificationsXmlReader.java
    • -6
    • +30
    ./DependencyVerificationsXmlWriter.java
  1. … 2 more files in changeset.
Regroup trusted keys for readability

If a single key is trusted multiple times for different artifacts, we

now regroup the artifact coordinates under the `trusted-key` tag.

    • -8
    • +31
    ./DependencyVerificationsXmlReader.java
    • -6
    • +30
    ./DependencyVerificationsXmlWriter.java
  1. … 2 more files in changeset.
Add ability to ignore keys for a specific artifact

The use case for this is whenever signature for an artifact fails, but

for some reason the user still trusts the artifact. For example, a POM

file is different between different repositories because it happened

to be published twice with different timestamps.

In this case it is recommended to ignore the signature, however we

_will_ fallback on checksum verification.

    • -4
    • +22
    ./DependencyVerificationsXmlReader.java
    • -4
    • +19
    ./DependencyVerificationsXmlWriter.java
  1. … 11 more files in changeset.
Add ability to ignore keys for a specific artifact

The use case for this is whenever signature for an artifact fails, but

for some reason the user still trusts the artifact. For example, a POM

file is different between different repositories because it happened

to be published twice with different timestamps.

In this case it is recommended to ignore the signature, however we

_will_ fallback on checksum verification.

    • -4
    • +22
    ./DependencyVerificationsXmlReader.java
    • -4
    • +19
    ./DependencyVerificationsXmlWriter.java
  1. … 11 more files in changeset.
Add ability to ignore keys for a specific artifact

The use case for this is whenever signature for an artifact fails, but

for some reason the user still trusts the artifact. For example, a POM

file is different between different repositories because it happened

to be published twice with different timestamps.

In this case it is recommended to ignore the signature, however we

_will_ fallback on checksum verification.

    • -4
    • +22
    ./DependencyVerificationsXmlReader.java
    • -4
    • +19
    ./DependencyVerificationsXmlWriter.java
  1. … 11 more files in changeset.
Add ability to ignore keys for a specific artifact

The use case for this is whenever signature for an artifact fails, but

for some reason the user still trusts the artifact. For example, a POM

file is different between different repositories because it happened

to be published twice with different timestamps.

In this case it is recommended to ignore the signature, however we

_will_ fallback on checksum verification.

    • -4
    • +22
    ./DependencyVerificationsXmlReader.java
    • -4
    • +19
    ./DependencyVerificationsXmlWriter.java
  1. … 11 more files in changeset.
Add ability to ignore keys for a specific artifact

The use case for this is whenever signature for an artifact fails, but

for some reason the user still trusts the artifact. For example, a POM

file is different between different repositories because it happened

to be published twice with different timestamps.

In this case it is recommended to ignore the signature, however we

_will_ fallback on checksum verification.

    • -4
    • +22
    ./DependencyVerificationsXmlReader.java
    • -4
    • +19
    ./DependencyVerificationsXmlWriter.java
  1. … 11 more files in changeset.
Add ability to ignore keys for a specific artifact

The use case for this is whenever signature for an artifact fails, but

for some reason the user still trusts the artifact. For example, a POM

file is different between different repositories because it happened

to be published twice with different timestamps.

In this case it is recommended to ignore the signature, however we

_will_ fallback on checksum verification.

    • -4
    • +22
    ./DependencyVerificationsXmlReader.java
    • -4
    • +19
    ./DependencyVerificationsXmlWriter.java
  1. … 11 more files in changeset.
Add support for globally trusted keys

A globally trusted key can be used to trust a number of

modules and greatly simplifies configuration: instead of

having to specify checksums for all modules, a user can

declare the keys they trust and use a similar syntax to

trusted artifacts to say to what group/name/version the

key applies.

It's often the case that the same keys are used for

several artifacts of the same group or same company, so

this makes it possible to avoid a lot of boilerplate as

long as the artifacts are signed by the same keys.

    • -0
    • +30
    ./DependencyVerificationsXmlReader.java
    • -1
    • +27
    ./DependencyVerificationsXmlWriter.java
  1. … 7 more files in changeset.
Add support for globally trusted keys

A globally trusted key can be used to trust a number of

modules and greatly simplifies configuration: instead of

having to specify checksums for all modules, a user can

declare the keys they trust and use a similar syntax to

trusted artifacts to say to what group/name/version the

key applies.

It's often the case that the same keys are used for

several artifacts of the same group or same company, so

this makes it possible to avoid a lot of boilerplate as

long as the artifacts are signed by the same keys.

    • -0
    • +30
    ./DependencyVerificationsXmlReader.java
    • -1
    • +27
    ./DependencyVerificationsXmlWriter.java
  1. … 7 more files in changeset.
Add support for globally trusted keys

A globally trusted key can be used to trust a number of

modules and greatly simplifies configuration: instead of

having to specify checksums for all modules, a user can

declare the keys they trust and use a similar syntax to

trusted artifacts to say to what group/name/version the

key applies.

It's often the case that the same keys are used for

several artifacts of the same group or same company, so

this makes it possible to avoid a lot of boilerplate as

long as the artifacts are signed by the same keys.

    • -0
    • +30
    ./DependencyVerificationsXmlReader.java
    • -1
    • +27
    ./DependencyVerificationsXmlWriter.java
  1. … 7 more files in changeset.
Add support for globally trusted keys

A globally trusted key can be used to trust a number of

modules and greatly simplifies configuration: instead of

having to specify checksums for all modules, a user can

declare the keys they trust and use a similar syntax to

trusted artifacts to say to what group/name/version the

key applies.

It's often the case that the same keys are used for

several artifacts of the same group or same company, so

this makes it possible to avoid a lot of boilerplate as

long as the artifacts are signed by the same keys.

    • -0
    • +30
    ./DependencyVerificationsXmlReader.java
    • -1
    • +27
    ./DependencyVerificationsXmlWriter.java
  1. … 7 more files in changeset.
Add support for globally trusted keys

A globally trusted key can be used to trust a number of

modules and greatly simplifies configuration: instead of

having to specify checksums for all modules, a user can

declare the keys they trust and use a similar syntax to

trusted artifacts to say to what group/name/version the

key applies.

It's often the case that the same keys are used for

several artifacts of the same group or same company, so

this makes it possible to avoid a lot of boilerplate as

long as the artifacts are signed by the same keys.

    • -0
    • +30
    ./DependencyVerificationsXmlReader.java
    • -1
    • +27
    ./DependencyVerificationsXmlWriter.java
  1. … 7 more files in changeset.
Add support for globally trusted keys

A globally trusted key can be used to trust a number of

modules and greatly simplifies configuration: instead of

having to specify checksums for all modules, a user can

declare the keys they trust and use a similar syntax to

trusted artifacts to say to what group/name/version the

key applies.

It's often the case that the same keys are used for

several artifacts of the same group or same company, so

this makes it possible to avoid a lot of boilerplate as

long as the artifacts are signed by the same keys.

    • -0
    • +30
    ./DependencyVerificationsXmlReader.java
    • -1
    • +27
    ./DependencyVerificationsXmlWriter.java
  1. … 7 more files in changeset.
Add support for ignored keys

Ignored keys can be used in case verification of a signature isn't

possible because a key isn't available anymore (lost, not published

to a key server, ...).

It's worth noting that if a component cannot be verified by at least

one public key, then verification will fallback to checksum verification.

    • -15
    • +18
    ./DependencyVerificationXmlTags.java
    • -66
    • +107
    ./DependencyVerificationsXmlReader.java
    • -16
    • +54
    ./DependencyVerificationsXmlWriter.java
  1. … 15 more files in changeset.
Add support for ignored keys

Ignored keys can be used in case verification of a signature isn't

possible because a key isn't available anymore (lost, not published

to a key server, ...).

It's worth noting that if a component cannot be verified by at least

one public key, then verification will fallback to checksum verification.

    • -15
    • +18
    ./DependencyVerificationXmlTags.java
    • -66
    • +107
    ./DependencyVerificationsXmlReader.java
    • -16
    • +54
    ./DependencyVerificationsXmlWriter.java
  1. … 15 more files in changeset.
Add support for ignored keys

Ignored keys can be used in case verification of a signature isn't

possible because a key isn't available anymore (lost, not published

to a key server, ...).

It's worth noting that if a component cannot be verified by at least

one public key, then verification will fallback to checksum verification.

    • -15
    • +18
    ./DependencyVerificationXmlTags.java
    • -66
    • +107
    ./DependencyVerificationsXmlReader.java
    • -16
    • +54
    ./DependencyVerificationsXmlWriter.java
  1. … 15 more files in changeset.
Add support for ignored keys

Ignored keys can be used in case verification of a signature isn't

possible because a key isn't available anymore (lost, not published

to a key server, ...).

It's worth noting that if a component cannot be verified by at least

one public key, then verification will fallback to checksum verification.

    • -15
    • +18
    ./DependencyVerificationXmlTags.java
    • -66
    • +107
    ./DependencyVerificationsXmlReader.java
    • -16
    • +54
    ./DependencyVerificationsXmlWriter.java
  1. … 15 more files in changeset.
Add support for ignored keys

Ignored keys can be used in case verification of a signature isn't

possible because a key isn't available anymore (lost, not published

to a key server, ...).

It's worth noting that if a component cannot be verified by at least

one public key, then verification will fallback to checksum verification.

    • -15
    • +18
    ./DependencyVerificationXmlTags.java
    • -66
    • +107
    ./DependencyVerificationsXmlReader.java
    • -16
    • +54
    ./DependencyVerificationsXmlWriter.java
  1. … 15 more files in changeset.
Add support for ignored keys

Ignored keys can be used in case verification of a signature isn't

possible because a key isn't available anymore (lost, not published

to a key server, ...).

It's worth noting that if a component cannot be verified by at least

one public key, then verification will fallback to checksum verification.

    • -15
    • +18
    ./DependencyVerificationXmlTags.java
    • -66
    • +107
    ./DependencyVerificationsXmlReader.java
    • -16
    • +54
    ./DependencyVerificationsXmlWriter.java
  1. … 15 more files in changeset.
Initial implementation of verification of signatures

This commit introduces _signature_ verification. Signature verification

is stronger than checksum verification and must be enabled explicitly,

by adding `<signature-verification>true</signature-verification>` to the

dependency verification configuration file.

Once such verification is enabled, Gradle will do its best to verify

the signature of artifacts. This means:

- it will try to download the .asc file associated with an artifact

- if it's present, it will automatically download the public keys

of the signature and verify that the file matches the signatures

- if _any_ of the signature verification fails, fails the build

- if a public key is not trusted explicitly, fails the build

- if signature verification succeeds, no checksum verification is

performed

Currently it's not possible to perform checksum verification for some

modules and signature verification for others. All modules must declare

all trusted keys.

If a key cannot be downloaded, verification will fail. It's not possible

to ignore a key for now. It's not possible to fallback to checksum

verification.

    • -7
    • +44
    ./DependencyVerificationsXmlReader.java
    • -2
    • +37
    ./DependencyVerificationsXmlWriter.java
  1. … 61 more files in changeset.