enable built-in gradle dependency verification

This fully replaces gradle-witness and goes far beyond what it offered. As
far as I can tell, this actually will verify every single artifact that
gradle downloads and uses.

This was generated in two passes to get both the PGP and the SHA256 info:

./gradlew --write-verification-metadata pgp,sha256 build connectedFullDebugAndroidTest --export-keys
./gradlew --write-verification-metadata sha256 build connectedFullDebugAndroidTest

Thanks to  @vlsi who made me aware of this, and helped make it possible.
closes !837
parent dc936869
*.gpg binary
......@@ -53,7 +53,7 @@ errorprone:
stage: test
- cat config/errorprone.gradle >> app/build.gradle
- ./gradlew assembleDebug
- ./gradlew -Dorg.gradle.dependency.verification=lenient assembleDebug
# once these prove stable, the task should be switched to
# connectedCheck to test all the build flavors
This diff was suppressed by a .gitattributes entry.
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment