Keeps track of Gradle version used by androidx. When updating the version a new version prebuilt needs to be added to tools/external/gradle repository.
Keeps track of library and plugin dependencies used by androidx. Adding or updating a library there requires running ./development/importMaven/import_maven_artifacts.py -n myartifact:here:1.0.0
Checked-in local keyring that is used to avoid reaching out to key servers whenever a key is required by Gradle to verify an artifact.
AndroidX only uses human readable verification-keyring.keys. Gradle also generates binary verification-keyring.gpg, but it is optional, and thus we do not use it.
To update this file, after adding the relevant dependencies to the build, run:
development/update-verification-metadata.sh
Configuration file for Gradle dependency verification used by androidx to make sure dependencies are signed with trusted signatures and that unsigned artifacts have expected checksums.
When adding a new artifact
development/update-verification-metadata.sh
to trust the signature of the new artifact.
verification-metadata.xml:./gradlew -M sha256 buildOnServer --dry-run
Then you will want to diff gradle/verification-metadata.dryrun.xml and gradle/verification-metadata.xml using your favorite tool (e.g. meld) can copy over the entries that are relevant to your new artifacts.
Each new checksum that you copy over in this way must be associated with a bug that is tracking an effort to build or acquire a signed version of this dependency. To associate with a bug, please add an androidx:reason attribute to a string that contains a URL for a bug filed either in buganizer or github:
<component group="g" name="g" version="3.1" androidx:reason="Unsigned b/8675309"> <artifact name="g-3.1.jar"> <sha256 value="f5759b7fcdfc83a525a036deedcbd32e5b536b625ebc282426f16ca137eb5902" origin="Generated by Gradle" /> </artifact> </component>
After doing this, you can then delete all the verification-*-dryrun.* files.