The verification file is a bit annoying to generate/update due to a couple issues, but I still think this is worthwhile to enable to protect from compromised dependencies, especially with BCR having system app permissions.
The documented ./gradlew --write-verification-metadata sha512 help command isn't sufficient to grab all dependencies. The actual APK build and tests need to be run as part of the command to ensure all dependencies are added.
The verification file is a bit annoying to generate/update due to a couple issues, but I still think this is worthwhile to enable to protect from compromised dependencies, especially with BCR having system app permissions.
Issues:
./gradlew --write-verification-metadata sha512 help
command isn't sufficient to grab all dependencies. The actual APK build and tests need to be run as part of the command to ensure all dependencies are added.To generate the file in this PR, I ran: