gm icon indicating copy to clipboard operation
gm copied to clipboard
verified publisher icon kordamp

Add support for validating gradle installation

Open leonard84 opened this issue 4 years ago • 2 comments

As gradle does not include the distributionSha256Sum by default in the gradle-wrapper.properties (https://github.com/gradle/gradle/issues/12412) it would be great if gm could offer support for validating/injecting this as well. Especially if users are using a mirror url.

The version and type could be inferred from the url if it is just a transparent mirror.

The checksums can be retrieved here https://gradle.org/release-checksums/ or from https://services.gradle.org/versions/all

This is related to #39 which validates the committed gradle-wrapper.jar and shell scripts.

leonard84 avatar May 07 '21 11:05 leonard84

This implies:

  • parsing gradle-wrapper.properties to find out the target distribution.
  • parsing https://services.gradle.org/versions/all to locate the checksum.
  • validate checksum.
  • modify gradle-wrapper.properties if successful.

It also implies gm is trusted to download and apply the checksum. Typically the matching checksum is retrieved separately from the tool to avoid conflicts. I suppose the gm binary could be signed and somehow validate itself against a well known signature server. If it passes then it can proceed to download an update the checksum.

That or blindly trust gm to not inject a faulty checksum.

aalmiray avatar May 07 '21 11:05 aalmiray

A main usecase for me would be: I downloaded and validated gm manually, check out some third-party repository that uses gradle and be safe in regards to the infrastructure code. Of course this doesn't say anything about the actual code in the repository itself, but it is better than the status quo.

leonard84 avatar May 07 '21 11:05 leonard84