allow differing sha256 values in Google Maven vs Android Offline
It turns out that some of the dependencies in the Google Offline Components downloadable maven repository have difference to the ones Google publishes to maven.google.com. WTF. In any case, the new Gradle Dependency Verification feature handles this gracefully. I manually verified the diffs between the two using diffoscope. One just differed by timestamps in the ZIP header, and the other just differed by linefeeds at the end of the file. Then I generated this metadata update using:
./gradlew --write-verification-metadata pgp,sha256