This fully replaces gradle-witness and goes far beyond what it offered. As
far as I can tell, this actually will verify every single artifact that
gradle downloads and uses.
This was generated in two passes to get both the PGP and the SHA256 info:
```
./gradlew --write-verification-metadata pgp,sha256 build connectedFullDebugAndroidTest --export-keys
./gradlew --write-verification-metadata sha256 build connectedFullDebugAndroidTest
```
Thanks to @vlsi who made me aware of this, and helped make it possible.
closes!837
