Open dsvensson opened 1 month ago
cortinico
commented
1 month ago It all looks signed and dandy so not sure what's going on. Is perhaps the module distributed elsewhere without signature?
I believe you're seeing this because you're fetching detekt-gradle-plugin from Gradle Portal and we don't sign it there (I think we should though)
dsvensson
commented
1 month ago Humm... I was hoping that I had overridden that, but must have gotten lost over the years. But it sounds like a plausible reason. Would be nice to get the signing going there as if you're not doing out-of-the-ordinary stuff with gradle that's where it will pick it from. Meanwhile I will see if I can get back that behavior. Thanks.
Update: Yes, that was it. Didn't properly override in buildSrc.
atulgpt
commented
6 days ago Hi @cortinico for enabling signin I think all we need to do is add signing plugin. I tried to do the same at https://github.com/detekt/detekt/pull/7760. Is that correct understanding? Also, how can we validate that?
cortinico
commented
5 days ago for enabling signin I think all we need to do is add signing plugin. I tried to do the same at #7760. Is that correct understanding? Also, how can we validate that?
Yes that seems correct. I guess we just pick it in the 1.x release branch and see how the next version behaves
Expected Behavior
Everything properly validated.
Observed Behavior
This pops up in my verification metadata:
even if I have trust in the key:
...and the key in my
gradle/verification-keyring.keys, the same setup that works with other dependencies.When browsing the artifacts here: https://repo1.maven.org/maven2/io/gitlab/arturbosch/detekt/detekt-gradle-plugin/1.23.7/
It all looks signed and dandy so not sure what's going on. Is perhaps the module distributed elsewhere without signature?
Your Environment
gradle 8.10, latest detekt