verify signatures of downloaded artifacts

cbeust / kobalt

A Kotlin-based build system for the JVM.

Apache License 2.0

432 stars 60 forks source link

Open whyicantusemyemailasusername opened 7 years ago

whyicantusemyemailasusername commented 7 years ago

at least two cases here:

use sha1 hash provided by remote repo to verify downloads (re-download broken files)
specify file hash as part of artifact id, like compile("org.name:artifact:1.3:sha1:2973d150c0dc1fefe998f834810d68f278ea58ec"), to prevent different attacks