Support declaring expected checksum

Open dsvensson opened this issue 1 year ago • 0 comments

Just like gradle wrapper can be configured to verify checksum, fetching JVM should have a similar mechanism to verify that what is installed, is what is expected to be installed.

tasks {
	wrapper {
		gradleVersion = "8.5"
		distributionUrl = "https://services.gradle.org/distributions/gradle-${gradleVersion}-bin.zip"
		distributionSha256Sum = "9d926787066a081739e8200858338b4a69e837c3a821a33aca9db09dd4a41026"
	}
}

This would have to take into account different checksums for different operating systems and architectures.

A more convenient version of this would be to at least verify release signatures using the local keychain already used for dependency verification, to not get in the way of minor-version bumps.

Apr 16 '24 08:04 dsvensson