issues
search
cbeust
/
kobalt
A Kotlin-based build system for the JVM.
Apache License 2.0
432
stars
60
forks
source link
verify signatures of downloaded artifacts
#453
Open
whyicantusemyemailasusername
opened
7 years ago
whyicantusemyemailasusername
commented
7 years ago
at least two cases here:
use sha1 hash provided by remote repo to verify downloads (re-download broken files)
specify file hash as part of artifact id, like compile("org.name:artifact:1.3:sha1:2973d150c0dc1fefe998f834810d68f278ea58ec"), to prevent different attacks
at least two cases here: