Add com.github.vlsi.checksum-dependency plugin to verify plugin and dependency artifacts

[vlsi]

See https://github.com/vlsi/vlsi-release-plugins#checksum-dependency-plugin

witness does not verify plugins: https://github.com/trezor/trezor-android/blob/b5211751556fde996c185025b21847af459db96c/build.gradle#L8

And checksum-dependency-plugin enables to validate those as well. See com.android.tools.build/gradle-api/3.3.2=49D1AC983C92FC52... in checksum.properties

[vlsi]

It looks like Travis is OK.

Looking forward for comments.

[vlsi]

PS. I'm working on PGP-based verification as well.

If you have suggestions/feature requests, feel free to comment on https://github.com/vlsi/vlsi-release-plugins/issues/9

My idea is to add "I trust key ABC for group org.abc" kind of entries, so we don't need to update checksums on each library upgrade

[vlsi]

Hi, I hope you are doing well.

You might be interested that Gradle 6.2 introduces in-core dependency verification

The documentation can be reviewed here: https://github.com/gradle/gradle/pull/11755

From what I know Gradle would cover more cases when compared with checksum-dependency-plugin. For instance, it will be able to verify pom.xml which are implicitly fetched by Gradle when resolving transitive dependencies and probably other cases.

Some bits can be previewed in the current release candidates, release nightly builds and master nightly builds (see https://gradle.org/releases/ )

It would be nice if you could preview the feature and provide your feedback.

[prusnak]

Hello! This is something we'd like to use. Can you please update this pull request to this feature once Gradle 6.2 stable is released?

[ligi]

push 6.2 stable is released now

[prusnak]

@vlsi Can you please update the PR to use Gradle 6.2 stable?