| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 1 | ## wrapper/gradle-wrapper.properties |
| 2 | |
| 3 | Keeps track of Gradle version used by androidx. When updating the version a new version prebuilt needs to be added to `tools/external/gradle` repository. |
| 4 | |
| 5 | ## libs.versions.toml |
| 6 | |
| Oded Niv | baee1a7 | 2022-11-09 15:03:45 +0000 | [diff] [blame] | 7 | Keeps track of library and plugin dependencies used by androidx. Adding or updating a library there requires running `./development/importMaven/importMaven.sh myartifact:here:1.0.0` |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 8 | |
| 9 | ## verification-keyring.keys |
| 10 | |
| Aurimas Liutikas | 2a93f8b | 2022-01-21 00:12:34 +0000 | [diff] [blame] | 11 | Checked-in [local keyring](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:local-keyring) |
| 12 | that is used to avoid reaching out to key servers whenever a key is required by Gradle to verify an |
| 13 | artifact. |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 14 | |
| Aurimas Liutikas | 2a93f8b | 2022-01-21 00:12:34 +0000 | [diff] [blame] | 15 | AndroidX only uses human readable `verification-keyring.keys`. Gradle also generates binary |
| 16 | `verification-keyring.gpg`, but it is optional, and thus we do not use it. |
| 17 | |
| Jeff Gaston | 0762042 | 2022-03-21 17:13:03 -0400 | [diff] [blame] | 18 | To update this file, after adding the relevant dependencies to the build, run: |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 19 | ``` |
| Jeff Gaston | 0762042 | 2022-03-21 17:13:03 -0400 | [diff] [blame] | 20 | development/update-verification-metadata.sh |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 21 | ``` |
| 22 | |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 23 | ## verification-metadata.xml |
| 24 | |
| 25 | [Configuration file for Gradle dependency verification](https://docs.gradle.org/current/userguide/dependency_verification.html#sub:verification-metadata) used by androidx to make sure dependencies are [signed with trusted signatures](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:signature-verificationn) and that unsigned artifacts have [expected checksums](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:checksum-verification). |
| 26 | |
| Jeff Gaston | 1d93a52 | 2023-08-29 14:24:51 -0400 | [diff] [blame] | 27 | When adding a new artifact, first run: |
| Jeff Gaston | 0762042 | 2022-03-21 17:13:03 -0400 | [diff] [blame] | 28 | ``` |
| 29 | development/update-verification-metadata.sh |
| 30 | ``` |
| Jeff Gaston | 1d93a52 | 2023-08-29 14:24:51 -0400 | [diff] [blame] | 31 | to trust the signature (or checksum) of the new artifact. |
| Jeff Gaston | 0762042 | 2022-03-21 17:13:03 -0400 | [diff] [blame] | 32 | |
| Jeff Gaston | 1d93a52 | 2023-08-29 14:24:51 -0400 | [diff] [blame] | 33 | Then, if any checksums were added, make sure they're associated with a bug that is tracking |
| David Saff | 5d938db | 2022-03-14 14:18:01 -0400 | [diff] [blame] | 34 | an effort to build or acquire a signed version of this dependency. To associate with a bug, |
| 35 | please add an `androidx:reason` attribute to a string that contains a URL for a bug filed |
| 36 | either in buganizer or github: |
| 37 | |
| 38 | ```xml |
| 39 | <component group="g" name="g" version="3.1" androidx:reason="Unsigned b/8675309"> |
| 40 | <artifact name="g-3.1.jar"> |
| 41 | <sha256 |
| 42 | value="f5759b7fcdfc83a525a036deedcbd32e5b536b625ebc282426f16ca137eb5902" |
| 43 | origin="Generated by Gradle" |
| 44 | /> |
| 45 | </artifact> |
| 46 | </component> |
| 47 | ``` |
| 48 | |
| David Saff | 0fe7aea | 2022-03-28 17:35:02 +0000 | [diff] [blame] | 49 | ### If that doesn't work. |
| 50 | |
| 51 | If the artifact is not signed, and does not get automatically added to |
| 52 | verification-metadata.xml when you go through the above process, it's possible it's a |
| 53 | dependency of a [detached configuration](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:bootstrapping-verification). |
| 54 | |
| 55 | In this case, your best option may be to generate and add the checksum by hand, to at least |
| 56 | protect against any future tampering with the current artifact file. To do this, for an |
| 57 | artifact file foo.tar.gz, run: `sha256 foo.tar.gz`. This will generate a sha256 checksum that |
| 58 | you can hand-add to verification-metadata.xml following the example of other entries. For |
| 59 | example, this is where the current checksum for kotlin-native-prebuilt-linux-x86_64 came from. |
