Add gradle-wrapper.jar checksum verification

[vlsi]

What do you think if gm verifies the checksum of gradle/wrapper/gradle-wrapper.jar file?

Of course, it won't make the build completely secure (e.g. a malicious repository could augment gradlew to use a different jar for classpath), however it might improve things since text files (e.g. build scripts, batch scripts are easier to review than binary jars).

An alternative (or additional) option is to verify the integrity of gradlew and gradlew.bat (e.g. hard-code well-known good checksums)

An alternative option is to use gw-controlled set of gradlew executables (and gradle-wrapper.jar) so gw uses a trusted wrapper.

[vlsi]

/cc @JLLeitschuh

[vlsi]

Relevant issues: https://github.com/gradle/actions/issues/283, https://github.com/gdubw/gng/issues/15

[vlsi]

Gradle distribution validation might be relevant as well: https://github.com/gradle/actions/issues/286

[aalmiray]

Such improvement should be offered for the Maven and Jbang wrappers as well.

[vlsi]

Of course, if you think it is worth integrating the verification to gm, then it would be great to integrate it for all the build systems.

[aalmiray]

Before doing it on gm the question is why don't the original tools provide such verification ootb? I know gradle does it with a Github Action on CI. Does it work with other CIs as well? Can the gradle or gradlew commands perform the check? Is it secure to do so or does this verification requires another party?

[vlsi]

gm is the tool for end-users rather than a CI tool, so I guess CI questions are irrelevant here

Can the gradle or gradlew commands perform the check?

The key question here is: do you trust gradlew to validate itself?