[bisq-network/bisq] Replace gradle-witness with gradle verification (#5503)

cd2357 notifications at github.com
Tue May 18 09:57:50 CEST 2021 

Remove dependency on gradle-witness. Add config file for the built-in gradle verification mechanism. Bootstrap initial list of hashes.

I have checked previously known hashes in `gradle-witness.gradle` and confirmed they are present in the new hashes list in `verification-metadata.xml` (this can be double-checked by reviewers as well).

As opposed to `gradle-witness`, which could only verify dependencies, the gradle verification task covers both dependencies and plugins.

In addition to checksum verification, the gradle task also has support for PGP verification.

Usage:
  - the task is called automatically during build. It succeeds if all used dependencies and plugins match the defined hashes, fails otherwise.
  - If new dependencies are added, or a dependency version is changed, use `./gradlew --write-verification-metadata sha256 clean build -x ` to *optimistically* bootstrap the list of hashes. The `clean build` at the end is necessary for gradle to navigate the entire dependency tree of all Bisq submodules and find any new or changed dependency. Alternatively, the hash can be manually retrieved from the dependency's repo and added to `verification-metadata.xml`.

For details, see https://docs.gradle.org/current/userguide/dependency_verification.html

For details on bootstrapping the initial hashes, see https://docs.gradle.org/current/userguide/dependency_verification.html#sec:bootstrapping-verification
You can view, comment on, or merge this pull request online at:

  https://github.com/bisq-network/bisq/pull/5503

-- Commit Summary --

  * Replace gradle-witness with gradle verification

-- File Changes --

    M build.gradle (3)
    M docs/tor-upgrade.md (3)
    A gradle/verification-metadata.xml (2467)
    D gradle/witness/gradle-witness.gradle (89)
    D gradle/witness/gradle-witness.jar (0)

-- Patch Links --

https://github.com/bisq-network/bisq/pull/5503.patch
https://github.com/bisq-network/bisq/pull/5503.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/bisq-network/bisq/pull/5503
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.bisq.network/pipermail/bisq-github/attachments/20210518/874ac6f4/attachment.htm>

More information about the bisq-github mailing list