It turns out that some of the dependencies in the Google Offline Components
downloadable maven repository have difference to the ones Google publishes
to maven.google.com. WTF. In any case, the new Gradle Dependency
Verification feature handles this gracefully. I manually verified the
diffs between the two using diffoscope. One just differed by timestamps in
the ZIP header, and the other just differed by linefeeds at the end of the
file. Then I generated this metadata update using:
`./gradlew --write-verification-metadata pgp,sha256`
* https://developer.android.com/studio#offline
This fully replaces gradle-witness and goes far beyond what it offered. As
far as I can tell, this actually will verify every single artifact that
gradle downloads and uses.
This was generated in two passes to get both the PGP and the SHA256 info:
```
./gradlew --write-verification-metadata pgp,sha256 build connectedFullDebugAndroidTest --export-keys
./gradlew --write-verification-metadata sha256 build connectedFullDebugAndroidTest
```
Thanks to @vlsi who made me aware of this, and helped make it possible.
closes!837
We need compileSdk 28 and the required AGP and gradle versions, as well
as updating to compatible support library revisions.
minSdk and targetSdk needs to move to build.gradle from manifest.
buildToolsVersion isn't used anymore.
Also remove the 2.11 restriction on the root build.gradle file. It's
unnecessary, as the Android plugin will already error if the version is
too old. This means that the build will work on any version that is new
enough, which should be 2.10-2.12 at the time of writing.
