<p></p>
<p>Same here, was also looking for alternatives.</p>
<p>Some of the issues with <code>gradle-witness</code> I found:</p>
<ul>
<li>it doesn't check transitive dependencies (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="443014545" data-permission-text="Title is private" data-url="https://github.com/signalapp/gradle-witness/issues/33" data-hovercard-type="issue" data-hovercard-url="/signalapp/gradle-witness/issues/33/hovercard" href="https://github.com/signalapp/gradle-witness/issues/33">signalapp/gradle-witness#33</a>)</li>
<li>it doesn't verify plugins, only dependencies (<a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="892670665" data-permission-text="Title is private" data-url="https://github.com/bisq-network/bisq/issues/5497" data-hovercard-type="pull_request" data-hovercard-url="/bisq-network/bisq/pull/5497/hovercard?comment_id=842226991&comment_type=issue_comment" href="https://github.com/bisq-network/bisq/pull/5497#issuecomment-842226991">#5497 (comment)</a>)</li>
<li>your issue described above</li>
<li>far fewer hashes in <code>gradle-witness.gradle</code> than actual dependencies used in the build</li>
</ul>
<p>Seems to give a false sense of security</p>
<p>Related older thread: <a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="378601497" data-permission-text="Title is private" data-url="https://github.com/bisq-network/bisq/issues/1897" data-hovercard-type="issue" data-hovercard-url="/bisq-network/bisq/issues/1897/hovercard" href="https://github.com/bisq-network/bisq/issues/1897#issue-378601497">#1897 (comment)</a></p>
<p>Main solutions I came across so far:</p>
<ul>
<li><a href="https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin">https://github.com/vlsi/vlsi-release-plugins/tree/master/plugins/checksum-dependency-plugin</a>
<ul>
<li>From their README: <em><code>Checksum Dependency Plugin</code> is probably the first plugin that is able to verify Gradle Plugins and<br>
that is able to use PGP for trust-based verification.</em></li>
</ul>
</li>
<li><a class="issue-link js-issue-link" data-error-text="Failed to load title" data-id="489105124" data-permission-text="Title is private" data-url="https://github.com/gradle/gradle/issues/10443" data-hovercard-type="issue" data-hovercard-url="/gradle/gradle/issues/10443/hovercard" href="https://github.com/gradle/gradle/issues/10443">gradle/gradle#10443</a></li>
</ul>
<p>cc <a class="team-mention js-team-mention" data-error-text="Failed to load team members" data-id="3638643" data-permission-text="Team members are private" data-url="/orgs/bisq-network/teams/bisq-devs/members" data-hovercard-type="team" data-hovercard-url="/orgs/bisq-network/teams/bisq-devs/hovercard" href="https://github.com/orgs/bisq-network/teams/bisq-devs">@bisq-network/bisq-devs</a> : If you have other ideas, add as comments below.</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/bisq-network/bisq/issues/4086#issuecomment-842285737">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/AJFFTNWLXWGAPGP7SD3FJIDTOEEAJANCNFSM4LRCC2RQ">unsubscribe</a>.<img src="https://github.com/notifications/beacon/AJFFTNT6YMHEIANCZ4FP6RTTOEEAJA5CNFSM4LRCC2R2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOGI2EFKI.gif" height="1" width="1" alt="" /></p>
<script type="application/ld+json">[
{
"@context": "http://schema.org",
"@type": "EmailMessage",
"potentialAction": {
"@type": "ViewAction",
"target": "https://github.com/bisq-network/bisq/issues/4086#issuecomment-842285737",
"url": "https://github.com/bisq-network/bisq/issues/4086#issuecomment-842285737",
"name": "View Issue"
},
"description": "View this Issue on GitHub",
"publisher": {
"@type": "Organization",
"name": "GitHub",
"url": "https://github.com"
}
}
]</script>