plugins

Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Remove unthrown exception declarations and unneeded string escapes

    • -1
    • +1
    ./signing/signatory/pgp/PgpSignatory.java
Initial implementation of verification of signatures

This commit introduces _signature_ verification. Signature verification

is stronger than checksum verification and must be enabled explicitly,

by adding `<signature-verification>true</signature-verification>` to the

dependency verification configuration file.

Once such verification is enabled, Gradle will do its best to verify

the signature of artifacts. This means:

- it will try to download the .asc file associated with an artifact

- if it's present, it will automatically download the public keys

of the signature and verify that the file matches the signatures

- if _any_ of the signature verification fails, fails the build

- if a public key is not trusted explicitly, fails the build

- if signature verification succeeds, no checksum verification is

performed

Currently it's not possible to perform checksum verification for some

modules and signature verification for others. All modules must declare

all trusted keys.

If a key cannot be downloaded, verification will fail. It's not possible

to ignore a key for now. It's not possible to fallback to checksum

verification.

    • -5
    • +2
    ./signing/signatory/pgp/PgpSignatory.java
  1. … 63 more files in changeset.
Initial implementation of verification of signatures

This commit introduces _signature_ verification. Signature verification

is stronger than checksum verification and must be enabled explicitly,

by adding `<signature-verification>true</signature-verification>` to the

dependency verification configuration file.

Once such verification is enabled, Gradle will do its best to verify

the signature of artifacts. This means:

- it will try to download the .asc file associated with an artifact

- if it's present, it will automatically download the public keys

of the signature and verify that the file matches the signatures

- if _any_ of the signature verification fails, fails the build

- if a public key is not trusted explicitly, fails the build

- if signature verification succeeds, no checksum verification is

performed

Currently it's not possible to perform checksum verification for some

modules and signature verification for others. All modules must declare

all trusted keys.

If a key cannot be downloaded, verification will fail. It's not possible

to ignore a key for now. It's not possible to fallback to checksum

verification.

    • -5
    • +2
    ./signing/signatory/pgp/PgpSignatory.java
  1. … 62 more files in changeset.
Initial implementation of verification of signatures

This commit introduces _signature_ verification. Signature verification

is stronger than checksum verification and must be enabled explicitly,

by adding `<signature-verification>true</signature-verification>` to the

dependency verification configuration file.

Once such verification is enabled, Gradle will do its best to verify

the signature of artifacts. This means:

- it will try to download the .asc file associated with an artifact

- if it's present, it will automatically download the public keys

of the signature and verify that the file matches the signatures

- if _any_ of the signature verification fails, fails the build

- if a public key is not trusted explicitly, fails the build

- if signature verification succeeds, no checksum verification is

performed

Currently it's not possible to perform checksum verification for some

modules and signature verification for others. All modules must declare

all trusted keys.

If a key cannot be downloaded, verification will fail. It's not possible

to ignore a key for now. It's not possible to fallback to checksum

verification.

    • -5
    • +2
    ./signing/signatory/pgp/PgpSignatory.java
  1. … 61 more files in changeset.
Initial implementation of verification of signatures

This commit introduces _signature_ verification. Signature verification

is stronger than checksum verification and must be enabled explicitly,

by adding `<signature-verification>true</signature-verification>` to the

dependency verification configuration file.

Once such verification is enabled, Gradle will do its best to verify

the signature of artifacts. This means:

- it will try to download the .asc file associated with an artifact

- if it's present, it will automatically download the public keys

of the signature and verify that the file matches the signatures

- if _any_ of the signature verification fails, fails the build

- if a public key is not trusted explicitly, fails the build

- if signature verification succeeds, no checksum verification is

performed

Currently it's not possible to perform checksum verification for some

modules and signature verification for others. All modules must declare

all trusted keys.

If a key cannot be downloaded, verification will fail. It's not possible

to ignore a key for now. It's not possible to fallback to checksum

verification.

    • -5
    • +2
    ./signing/signatory/pgp/PgpSignatory.java
  1. … 63 more files in changeset.
Initial implementation of verification of signatures

This commit introduces _signature_ verification. Signature verification

is stronger than checksum verification and must be enabled explicitly,

by adding `<signature-verification>true</signature-verification>` to the

dependency verification configuration file.

Once such verification is enabled, Gradle will do its best to verify

the signature of artifacts. This means:

- it will try to download the .asc file associated with an artifact

- if it's present, it will automatically download the public keys

of the signature and verify that the file matches the signatures

- if _any_ of the signature verification fails, fails the build

- if a public key is not trusted explicitly, fails the build

- if signature verification succeeds, no checksum verification is

performed

Currently it's not possible to perform checksum verification for some

modules and signature verification for others. All modules must declare

all trusted keys.

If a key cannot be downloaded, verification will fail. It's not possible

to ignore a key for now. It's not possible to fallback to checksum

verification.

    • -5
    • +2
    ./signing/signatory/pgp/PgpSignatory.java
  1. … 63 more files in changeset.
Safety net around security provider

    • -1
    • +3
    ./signing/signatory/pgp/PgpSignatory.java
Safety net around security provider

    • -1
    • +3
    ./signing/signatory/pgp/PgpSignatory.java
Split the `signing` module

This commit splits the `signing` module into another `security`

project so that we can reuse some code for dependency verification.

It's worth noting that some of the classes had to remain in the `plugins`

package because they were public APIs.

Further effort to split them out may be done later.

    • -0
    • +61
    ./signing/signatory/Signatory.java
    • -0
    • +32
    ./signing/signatory/SignatorySupport.java
    • -0
    • +20
    ./signing/signatory/package-info.java
    • -0
    • +112
    ./signing/signatory/pgp/PgpKeyId.java
    • -0
    • +123
    ./signing/signatory/pgp/PgpSignatory.java
    • -0
    • +182
    ./signing/signatory/pgp/PgpSignatoryFactory.java
    • -0
    • +20
    ./signing/signatory/pgp/package-info.java
    • -0
    • +67
    ./signing/type/AbstractSignatureType.java
    • -0
    • +62
    ./signing/type/AbstractSignatureTypeProvider.java
    • -0
    • +27
    ./signing/type/BinarySignatureType.java
    • -0
    • +32
    ./signing/type/DefaultSignatureTypeProvider.java
    • -0
    • +70
    ./signing/type/SignatureType.java
    • -0
    • +30
    ./signing/type/SignatureTypeProvider.java
    • -0
    • +20
    ./signing/type/package-info.java
    • -0
    • +45
    ./signing/type/pgp/ArmoredSignatureType.java
  1. … 58 more files in changeset.
Split the `signing` module

This commit splits the `signing` module into another `security`

project so that we can reuse some code for dependency verification.

It's worth noting that some of the classes had to remain in the `plugins`

package because they were public APIs.

Further effort to split them out may be done later.

    • -0
    • +61
    ./signing/signatory/Signatory.java
    • -0
    • +32
    ./signing/signatory/SignatorySupport.java
    • -0
    • +20
    ./signing/signatory/package-info.java
    • -0
    • +112
    ./signing/signatory/pgp/PgpKeyId.java
    • -0
    • +123
    ./signing/signatory/pgp/PgpSignatory.java
    • -0
    • +182
    ./signing/signatory/pgp/PgpSignatoryFactory.java
    • -0
    • +20
    ./signing/signatory/pgp/package-info.java
    • -0
    • +67
    ./signing/type/AbstractSignatureType.java
    • -0
    • +62
    ./signing/type/AbstractSignatureTypeProvider.java
    • -0
    • +27
    ./signing/type/BinarySignatureType.java
    • -0
    • +32
    ./signing/type/DefaultSignatureTypeProvider.java
    • -0
    • +70
    ./signing/type/SignatureType.java
    • -0
    • +30
    ./signing/type/SignatureTypeProvider.java
    • -0
    • +20
    ./signing/type/package-info.java
    • -0
    • +45
    ./signing/type/pgp/ArmoredSignatureType.java
  1. … 58 more files in changeset.