DependencyVerificationsXmlReaderTest.groovy

Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Fix use of schema location

The code was using `xmlns` instead of `xsi`

    • -1
    • +1
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 5 more files in changeset.
Make dependency verification XSD more explicit

By using `dependency-verification` in the URL and file

name.

    • -2
    • +2
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 4 more files in changeset.
Add an XML schema for the verification file

    • -0
    • +12
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 4 more files in changeset.
Regroup trusted keys for readability

If a single key is trusted multiple times for different artifacts, we

now regroup the artifact coordinates under the `trusted-key` tag.

    • -27
    • +37
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 4 more files in changeset.
Add ability to ignore keys for a specific artifact

The use case for this is whenever signature for an artifact fails, but

for some reason the user still trusts the artifact. For example, a POM

file is different between different repositories because it happened

to be published twice with different timestamps.

In this case it is recommended to ignore the signature, however we

_will_ fallback on checksum verification.

    • -3
    • +40
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 13 more files in changeset.
Sort entries when building the verification map

This is from user feedback: it seems to be easier to read/update the

contents of the verification file if entries are sorted. If it's done

correctly, then a new version of a module would be written close to

the existing one, making it easier to do manual cleanup of the file.

    • -31
    • +34
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 3 more files in changeset.
Add support for globally trusted keys

A globally trusted key can be used to trust a number of

modules and greatly simplifies configuration: instead of

having to specify checksums for all modules, a user can

declare the keys they trust and use a similar syntax to

trusted artifacts to say to what group/name/version the

key applies.

It's often the case that the same keys are used for

several artifacts of the same group or same company, so

this makes it possible to avoid a lot of boilerplate as

long as the artifacts are signed by the same keys.

    • -0
    • +53
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 9 more files in changeset.
Add support for ignored keys

Ignored keys can be used in case verification of a signature isn't

possible because a key isn't available anymore (lost, not published

to a key server, ...).

It's worth noting that if a component cannot be verified by at least

one public key, then verification will fallback to checksum verification.

    • -0
    • +17
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 17 more files in changeset.
Initial implementation of verification of signatures

This commit introduces _signature_ verification. Signature verification

is stronger than checksum verification and must be enabled explicitly,

by adding `<signature-verification>true</signature-verification>` to the

dependency verification configuration file.

Once such verification is enabled, Gradle will do its best to verify

the signature of artifacts. This means:

- it will try to download the .asc file associated with an artifact

- if it's present, it will automatically download the public keys

of the signature and verify that the file matches the signatures

- if _any_ of the signature verification fails, fails the build

- if a public key is not trusted explicitly, fails the build

- if signature verification succeeds, no checksum verification is

performed

Currently it's not possible to perform checksum verification for some

modules and signature verification for others. All modules must declare

all trusted keys.

If a key cannot be downloaded, verification will fail. It's not possible

to ignore a key for now. It's not possible to fallback to checksum

verification.

    • -3
    • +29
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 61 more files in changeset.
Remove arbitrary limitation of trusted artifacts

This will let users filter by whatever they need. Typically at

Gradle we won't care about checking javadocs or sources so we

only need the "artifact" part.

    • -11
    • +3
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 3 more files in changeset.
Make it possible to trust some modules

There are cases where it makes sense to trust some modules.

For example, a company using a frequent release pace may want

to trust their company artifacts (changing often so painful

to update the configuration) more than the external dependencies.

This gives the opportunity to tell what are the trusted modules.

The configuration requires at least a group name, but modules

can be trusted on the whole (group, name, version, file name)

tuple.

It is also possible to use regular expressions, for example one

could use:

<trust group="com[.]mycompany[.].*"/>

    • -0
    • +77
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 10 more files in changeset.
Make it possible to disable metadata verification

This commit introduces basic configuration for dependency

verification. The only thing that is configurable now is

the ability to disable verification of metadata. This can

be useful whenever the user only wants to trust artifacts,

because addition of metadata in verification files can

be quite verbose.

    • -0
    • +18
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 14 more files in changeset.
Make verification model more resilient to real world projects

Dogfooding the Gradle build with dependenvy verification proved to

be helpful. There are quite a few cases where we discover dependencies

which come from different repositories. Reposiories can also be mirrored

and sometimes the mirror doesn't mirror what is was supposed to.

The problem is that working around, for example by fixing the mirrors

or figuring out how to fetch a dependency from the right place can be

tricky. It's often easier to go and check the dependency and/or metadata

and approve it.

For this purpose, the verification metadata file now includes the

ability to have "alternate", trusted checksums. It also adds the ability

to tell where a checksum comes from, as indication to the reader. Checksums

generated by Gradle will be marked as such, and therefore a reader can

see that they are less "trustworthy" than checksums fetched by a human.

    • -8
    • +33
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 12 more files in changeset.
De-duplicate entries based on file name instead of artifact id

Because Gradle internally sometimes uses `DefaultModuleComponentArtifactIdentifier`

or `ModuleComponentFileArtifactIdentifier` for the same artifact depending on the

context, we can't rely on equality here. This commit changes the internal verification

structure to rely on the file name which is more consistent and fixes duplication

issues.

    • -4
    • +4
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 8 more files in changeset.
Use file names instea of Ivy artifact names for comparison

This commit reworks the generation of verification file and

verification itself in order to use the file name instead of

the Ivy artifact name. This is done because in case of Gradle

module metadata, the file name of an artifact is not necessarily

directly bound to the module name and causes comparison issues.

    • -5
    • +5
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 10 more files in changeset.
Generate checksum file for dependency verification

This commit introduces the generation of a dependency

verification metadata file from the CLI. If the user

calls `--write-verification-metadata`, then an XML

file is generated (`gradle/verification-metadata.xml`).

This file will contain the checksums for all artifacts

required by a build, which includes:

- plugin artifacts

- jars and other artifacts requested via a `configuration`

- secondary artifacts (javadocs, classifiers, ...)

It does NOT include metadata of those artifacts (pom files,

ivy files, Gradle Module metadata).

It isn't required to resolve any configuration to get this

behavior: the build will automatically process all resolvable

configurations and _try_ to resolve them automatically. All

artifacts resolved during this process are going to be automatically

downloaded (if not already). Then SHA-1 and SHA-512 checksums

are computed for all those artifacts.

The current format is an XML file planned to support more than

just artifacts: module metadata AND signature information is

planned.

See #11398

    • -0
    • +117
    ./DependencyVerificationsXmlReaderTest.groovy
  1. … 32 more files in changeset.