Plugin not signed

[dsvensson]

Currently, to use dependency verification, checksum fallback needs to be updated every new release of the jk1 plugin like this:

<component group="com.github.jk1" name="gradle-license-report" version="2.9">
  <artifact name="gradle-license-report-2.9.jar">
    <sha256 value="ebfd6da851654c53216eea9eda1485c12e0cd6de5a9919bf5da9735a021f32af" origin="Generated by Gradle" reason="Artifact is not signed"/>
  </artifact>
  <artifact name="gradle-license-report-2.9.pom">
    <sha256 value="81b54b29447491415f81e2baa0d98bf5863e1e2cf8ae2ddbba7607aec250d908" origin="Generated by Gradle" reason="Artifact is not signed"/>
  </artifact>
</component>
<component group="com.github.jk1.dependency-license-report" name="com.github.jk1.dependency-license-report.gradle.plugin" version="2.9">
  <artifact name="com.github.jk1.dependency-license-report.gradle.plugin-2.9.pom">
    <sha256 value="a79ca4dfe069d737faf075c8f4b6c6471c2e5cea8e1546946ae333d747fddf02" origin="Generated by Gradle" reason="Artifact is not signed"/>
  </artifact>
</component>

When browsing here there are no signatures: https://plugins.gradle.org/m2/com/github/jk1/gradle-license-report/2.9/

If this plugin was signed, then it would be enough with one stable setting for this plugin to have a better-than-nothing verification with no maintenence costs except for rare key changes:

<trusted-key id="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" group="com.github.jk1"/>

To read more about dependency verification, have a look here: https://docs.gradle.org/current/userguide/dependency_verification.html