| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 1 | ## wrapper/gradle-wrapper.properties |
| 2 | |
| 3 | Keeps track of Gradle version used by androidx. When updating the version a new version prebuilt needs to be added to `tools/external/gradle` repository. |
| 4 | |
| 5 | ## libs.versions.toml |
| 6 | |
| 7 | Keeps track of library and plugin dependencies used by androidx. Adding or updating a library there requires running `./development/importMaven/import_maven_artifacts.py -n myartifact:here:1.0.0` |
| 8 | |
| 9 | ## verification-keyring.keys |
| 10 | |
| Aurimas Liutikas | 2a93f8b | 2022-01-21 00:12:34 +0000 | [diff] [blame] | 11 | Checked-in [local keyring](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:local-keyring) |
| 12 | that is used to avoid reaching out to key servers whenever a key is required by Gradle to verify an |
| 13 | artifact. |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 14 | |
| Aurimas Liutikas | 2a93f8b | 2022-01-21 00:12:34 +0000 | [diff] [blame] | 15 | AndroidX only uses human readable `verification-keyring.keys`. Gradle also generates binary |
| 16 | `verification-keyring.gpg`, but it is optional, and thus we do not use it. |
| 17 | |
| 18 | In order to add a trusted new key, first add it as a trusted-key to `verification-metadata.xml`. |
| 19 | For example |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 20 | ``` |
| Aurimas Liutikas | 2a93f8b | 2022-01-21 00:12:34 +0000 | [diff] [blame] | 21 | <trusted-key id="012579464d01c06a" group="org.apache"/> |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 22 | ``` |
| 23 | |
| Aurimas Liutikas | 2a93f8b | 2022-01-21 00:12:34 +0000 | [diff] [blame] | 24 | This allows Gradle to trust it, but we also need to store the key in `verification-keyring.keys` |
| 25 | and to do that we need to run: |
| 26 | ``` |
| 27 | ./gradlew -M sha256 --export-keys buildOnServer --dry-run |
| 28 | ``` |
| 29 | |
| 30 | This will create `gradle/verification-keyring-dryrun.gpg`, `gradle/verification-keyring-dryrun.keys`, |
| 31 | `gradle/verification-metadata.dryrun.xml`. |
| 32 | |
| 33 | Then you will want to run: |
| 34 | ``` |
| 35 | cp gradle/verification-keyring-dryrun.keys gradle/verification-keyring.keys |
| 36 | ``` |
| 37 | |
| 38 | You can then delete all the `verification-*-dryrun.*` files. |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 39 | |
| 40 | ## verification-metadata.xml |
| 41 | |
| 42 | [Configuration file for Gradle dependency verification](https://docs.gradle.org/current/userguide/dependency_verification.html#sub:verification-metadata) used by androidx to make sure dependencies are [signed with trusted signatures](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:signature-verificationn) and that unsigned artifacts have [expected checksums](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:checksum-verification). |
| 43 | |
| 44 | When adding a new artifact |
| 45 | - if it is signed, then follow `verification-keyring.keys` instructions above to add it to trusted-keys |
| 46 | - if it is not signed, then run the following to add generated checksums to `verification-metadata.xml`: |
| 47 | |
| 48 | ``` |
| Aurimas Liutikas | 2a93f8b | 2022-01-21 00:12:34 +0000 | [diff] [blame] | 49 | ./gradlew -M sha256 buildOnServer --dry-run |
| Aurimas Liutikas | 3ae82fa | 2021-09-23 09:19:23 -0700 | [diff] [blame] | 50 | ``` |
| Aurimas Liutikas | 2a93f8b | 2022-01-21 00:12:34 +0000 | [diff] [blame] | 51 | |
| 52 | Then you will want to diff `gradle/verification-metadata.dryrun.xml` and |
| 53 | `gradle/verification-metadata.xml` using your favorite tool (e.g. meld) can copy over the entries |
| 54 | that are relevant to your new artifacts. |
| 55 | |
| 56 | You can then delete all the `verification-*-dryrun.*` files. |
