extend to gradle plugins

[eighthave]

Since the whole gradle build process for Android relies on downloading plugins from jcenter, we really need a way to do what gradle-witness does, but for those plugins. @dschuermann already made it possible to have the gradle wrapper verify the sha256 of gradle binaries it downloads: https://github.com/gradle/gradle/pull/448 The missing piece remains gradle plugins.

This is probably the most essential bit to verify:

        classpath 'com.android.tools.build:gradle:1.2.3'

[dschuermann]

Full ACK

[msgilligan]

+1. It would also be nice to have a tool or "best practice" for validating the wrapper scripts and jars that bootstrap most builds.

[msgilligan]

I created a topic on the Gradle forum that includes this issue: https://discuss.gradle.org/t/jar-validation-via-hashes-or-signatures/12238

[eighthave]

Really, the gradle-wrapper should validate what it downloads automatically, whenever possible. That should be easy for any gradle binary, since those all have a stable sha256 hash, and there are not very many of them (about 20?). Those hashes just need to be included in gradle-wrapper and mapped to the right file/URL.

[vlsi]

Just in case: Gradle's DependencyResolutionListener is able to verify plugins as well.

Plugin: https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin https://plugins.gradle.org/plugin/com.github.vlsi.checksum-dependency

Sample use: https://github.com/vlsi/vlsi-release-plugins/commit/208734b6e9d67c11d0d697f883f3e23107284820

The key idea is to add the plugin right into settings.gradle file, so it is executed way before all other plugins are loaded.