Karl/BobStore
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

gradle dependency verification is too buggy with .pom metadata

Browse Source 
This disables the verification of .pom files.  .pom files can add
dependencies, so it would be good to have them verified.  But since this
current setup requires all JAR to be verified, any new dependencies would
fail anyway:
https://docs.gradle.org/current/userguide/dependency_verification.html#sec:disabling-metadata-verification

In some cases everything works fine, like on gitlab-ci, and in other places
it always gives errors like this:

```
A problem occurred configuring root project 'client'.
> Dependency verification failed for configuration ':classpath'
  4 artifacts failed verification:
    - all-1.2.0.pom (com.sun.activation:all:1.2.0) from repository MavenRepo
    - jvnet-parent-1.pom (net.java:jvnet-parent:1) from repository MavenRepo
    - oss-parent-7.pom (org.sonatype.oss:oss-parent:7) from repository MavenRepo
    - oss-parent-9.pom (org.sonatype.oss:oss-parent:9) from repository MavenRepo
  This can indicate that a dependency has been compromised. Please carefully verify the checksums.

  Open this report for more details: file:///home/hans/code/fdroid/client/build/reports/dependency-verification/at-1603359642220/dependency-verification-report.html
```

@glennmen and @eighthave both are getting that error.
This commit is contained in:
Hans-Christoph Steiner 2020-10-22 11:48:37 +02:00
parent 2b57f49734
commit 4640146842
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
gradle/verification-metadata.xml
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.0.xsd"> <verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.0.xsd">
<configuration> <configuration>
<verify-metadata>true</verify-metadata> <verify-metadata>false</verify-metadata>
<verify-signatures>true</verify-signatures> <verify-signatures>true</verify-signatures>
<trusted-keys> <trusted-keys>
<trusted-key id="0394681addddb4f6388a64d295123567c1886c47" group="ch.acra" name="acra" version="4.9.1"/> <trusted-key id="0394681addddb4f6388a64d295123567c1886c47" group="ch.acra" name="acra" version="4.9.1"/>