This disables the verification of .pom files. .pom files can add
dependencies, so it would be good to have them verified. But since this
current setup requires all JAR to be verified, any new dependencies would
fail anyway:
https://docs.gradle.org/current/userguide/dependency_verification.html#sec:disabling-metadata-verification
In some cases everything works fine, like on gitlab-ci, and in other places
it always gives errors like this:
```
A problem occurred configuring root project 'client'.
> Dependency verification failed for configuration ':classpath'
4 artifacts failed verification:
- all-1.2.0.pom (com.sun.activation:all:1.2.0) from repository MavenRepo
- jvnet-parent-1.pom (net.java:jvnet-parent:1) from repository MavenRepo
- oss-parent-7.pom (org.sonatype.oss:oss-parent:7) from repository MavenRepo
- oss-parent-9.pom (org.sonatype.oss:oss-parent:9) from repository MavenRepo
This can indicate that a dependency has been compromised. Please carefully verify the checksums.
Open this report for more details: file:///home/hans/code/fdroid/client/build/reports/dependency-verification/at-1603359642220/dependency-verification-report.html
```
@glennmen and @eighthave both are getting that error.
It turns out that some of the dependencies in the Google Offline Components
downloadable maven repository have difference to the ones Google publishes
to maven.google.com. WTF. In any case, the new Gradle Dependency
Verification feature handles this gracefully. I manually verified the
diffs between the two using diffoscope. One just differed by timestamps in
the ZIP header, and the other just differed by linefeeds at the end of the
file. Then I generated this metadata update using:
`./gradlew --write-verification-metadata pgp,sha256`
* https://developer.android.com/studio#offline
This fully replaces gradle-witness and goes far beyond what it offered. As
far as I can tell, this actually will verify every single artifact that
gradle downloads and uses.
This was generated in two passes to get both the PGP and the SHA256 info:
```
./gradlew --write-verification-metadata pgp,sha256 build connectedFullDebugAndroidTest --export-keys
./gradlew --write-verification-metadata sha256 build connectedFullDebugAndroidTest
```
Thanks to @vlsi who made me aware of this, and helped make it possible.
closes!837
