根据gradle官方文档介绍依赖验证(dependency verification):
1. 为什么要做依赖验证?
Working with external dependencies and plugins published on third-party repositories puts your build at risk. In particular, you need to be aware of what binaries are brought in transitively and if they are legit. To mitigate the security risks and avoid integrating compromised dependencies in your project, Gradle supports dependency verification.
2. gradle对依赖进行验证的方式有哪些?
checksum verification, which allows asserting the integrity of a dependency
signature verification, which allows asserting the provenance of a dependency
3. 如何配置依赖验证?
Dependency verification is automatically enabled once the configuration file for dependency verification is discovered. This configuration file is located at
$PROJECT_ROOT/gradle/verification-metadata.xml
. This file minimally consists of the following:<?xml version="1.0" encoding="UTF-8"?> <verification-metadata> <configuration> <verify-metadata>true</verify-metadata> <verify-signatures>false</verify-signatures> </configuration> </verification-metadata>
Doing so, Gradle will verify all artifacts using checksums, but will not verify signatures.
4. 启动依赖验证
t’s worth mentioning that while Gradle can generate a dependency verification file for you, you should always check whatever Gradle generated for you because your build may already contain compromised dependencies without you knowing about it.
The dependency verification file can be generated with the following CLI instructions:
gradle --write-verification-metadata sha256 help
问题解决
然后我出现的这个问题,是‘Checksums are missing from verification metadata ’, 我把工程下build/目录下的verification-metadata.xml文件备份然后修复其中缺失包的checksum,重新gradle load就OK了,但是如果要重新生成这个文件就要执行上面第4步的命令。
如果不手动修复,也可以使用直接让Gradle帮我们重新生成上述文件。
Alternatively, you can ask Gradle to generate the missing information by using the bootstrapping mechanism: existing information in the metadata file will be preserved, Gradle will only add the missing verification metadata.