search

sourcegraph / scip-java

SCIP Code Intelligence Protocol generator for Java
https://sourcegraph.github.io/scip-java/
Apache License 2.0
74 stars 29 forks source link

Gradle dependency verification conflicts with using semanticdb plugin #606

Open keynmol opened 1 year ago

keynmol commented 1 year ago

I tried to index gradle/gradle repo, and while it got further than previous attempts, it raised an interesting problem:

[error] A problem occurred configuring project ':build-logic'.
[error] > Could not determine the dependencies of null.
[error]    > Could not resolve all task dependencies for configuration ':build-logic:classpath'.
[error]       > Could not resolve project :build-logic-commons:gradle-plugin.
[error]         Required by:
[error]             project :build-logic
[error]          > Could not create task ':build-logic-commons:gradle-plugin:compileKotlin'.
[error]             > Dependency verification failed for configuration ':build-logic-commons:gradle-plugin:detachedConfiguration3'
[error]               One artifact failed verification: semanticdb-kotlinc-0.3.0.jar (com.sourcegraph:semanticdb-kotlinc:0.3.0) from repository MavenRepo
[error]               This can indicate that a dependency has been compromised. Please carefully verify the signatures and checksums.

Gradle has strict listing of keys for all the dependencies in https://github.com/gradle/gradle/blob/master/gradle/verification-metadata.xml, but semanticdb-kotlinc is obviously not there.

The public key used to sign the kotlin plugin is actually published: https://keyserver.ubuntu.com/pks/lookup?search=10B04CB7EF0E44A9&fingerprint=on&op=index

Ref: #175 which is no longer valid

antonsviridov-src commented 3 months ago

I think this can be circumvented by using --write-verification-metadata pgp,sha256 flag