Google Git
Sign in
android / platform / frameworks / support / 3ae82fa88e910c9cff3da9d228cd32d97fc9fb55^! / . / gradle / README.md
commit3ae82fa88e910c9cff3da9d228cd32d97fc9fb55[log] [tgz]
authorAurimas Liutikas <[email protected]>Thu Sep 23 09:19:23 2021 -0700
committerAurimas Liutikas <[email protected]>Thu Jan 20 10:08:41 2022 -0800
treea82c218582ca9c81d0f89ff6fa1a4c019cacceea
parent82161d6ffebd4ff53fea0ab91c2041e173e32588 [diff] [blame]
Start verifying checksums and signatures during androidx builds

- Start validating checksums. The original file was generated using:
  ./gradlew bOS --dry-run -M sha256 --export-keys
  later it was cleaned up to remove entries that have signatures
  and thus don't need hash verification.
- Start validating signatures for some packages
  * Exception for gradle-download-task-4.1.1.jar that
    author seems to have signed incorrectly.
  * Exception for tensorflow-lite-metadata-0.1.0-rc2.pom
    that author seems to have signed incorrectly.

Bug: 215546644
Test: ./gradlew tasks
      rm -fr ~/.gradle/caches/modules-2/files-2.1/
      ./gradlew bOS --dry-run
      Studio Sync

Change-Id: I5be6d689a66cd69b19051e51f5c75b003fc7eb1a

diff --git a/gradle/README.md b/gradle/README.md
new file mode 100644
index 0000000..900deff
--- /dev/null
+++ b/gradle/README.md

@@ -0,0 +1,29 @@
+## wrapper/gradle-wrapper.properties
+
+Keeps track of Gradle version used by androidx. When updating the version a new version prebuilt needs to be added to `tools/external/gradle` repository.
+
+## libs.versions.toml
+
+Keeps track of library and plugin dependencies used by androidx. Adding or updating a library there requires running `./development/importMaven/import_maven_artifacts.py -n myartifact:here:1.0.0`
+
+## verification-keyring.keys
+
+Checked-in [local keyring](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:local-keyring) used to avoid reachout to key servers whenever a key is required by Gradle to verify an artifact. In order to add a new key, first add it as a trusted-key to `verification-metadata.xml`, then run the following
+
+```
+./gradlew --write-verification-metadata sha256 --export-keys
+```
+
+This will update `verification-keyring.keys` and also create `verification-keyring.gpg`. gpg file needs to be deleted as androidx only uses the human readable keychain to track of the keys.
+
+## verification-metadata.xml
+
+[Configuration file for Gradle dependency verification](https://docs.gradle.org/current/userguide/dependency_verification.html#sub:verification-metadata) used by androidx to make sure dependencies are [signed with trusted signatures](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:signature-verificationn) and that unsigned artifacts have [expected checksums](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:checksum-verification).
+
+When adding a new artifact
+- if it is signed, then follow `verification-keyring.keys` instructions above to add it to trusted-keys
+- if it is not signed, then run the following to add generated checksums to `verification-metadata.xml`:
+
+```
+./gradlew --write-verification-metadata sha256
+```