Artifacts not signed

[dsvensson]

Not all artifacts are signed. Updating the plugin to a new version with dependabot without also updating the checksum fails with:

* What went wrong:
Error resolving plugin [id: 'org.gradle.toolchains.foojay-resolver', version: '0.9.0']
> Dependency verification failed for configuration 'detachedConfiguration2':
    - On artifact org.gradle.toolchains.foojay-resolver.gradle.plugin-0.9.0.pom (org.gradle.toolchains.foojay-resolver:org.gradle.toolchains.foojay-resolver.gradle.plugin:0.9.0) in repository 'maven': checksum is missing from verification metadata.
  
  If the artifacts are trustworthy, you will need to update the gradle/verification-metadata.xml file. For more on how to do this, please refer to https://docs.gradle.org/8.10/userguide/dependency_verification.html#sec:troubleshooting-verification in the Gradle documentation.
  
  These files failed verification:
    - GRADLE_USER_HOME/caches/modules-2/files-2.1/org.gradle.toolchains.foojay-resolver/org.gradle.toolchains.foojay-resolver.gradle.plugin/0.9.0/6c1340219aebd753bc2d0e2183379af5224a3803/org.gradle.toolchains.foojay-resolver.gradle.plugin-0.9.0.pom
  
  GRADLE_USER_HOME = /home/circleci/.gradle
  
  These files failed verification:
    - GRADLE_USER_HOME/caches/modules-2/files-2.1/org.gradle.toolchains.foojay-resolver/org.gradle.toolchains.foojay-resolver.gradle.plugin/0.9.0/6c1340219aebd753bc2d0e2183379af5224a3803/org.gradle.toolchains.foojay-resolver.gradle.plugin-0.9.0.pom
  
  GRADLE_USER_HOME = /home/circleci/.gradle
  
  Open this report for more details: file:///home/circleci/project/build/reports/dependency-verification/at-1733192413182/dependency-verification-report.html

By having all the relevant content signed, dependabot would be able to provide a PR with a decent chain of trust by relying on signature verification alone.

[jbartok]

The first link you've sent is NOT the plugin. It's something we call a "plugin marker". It's just a pom having the actual plugin as it's dependency. How exactly are you using the plugin that you ended up having this problem?

[dsvensson]

Thanks. I've updated the description to be more generic. As for how I use it. I just use it in settings.gradle.kts via id("org.gradle.toolchains.foojay-resolver") version "0.9.0" with dependency verification enabled. The expected behavior should be to have a foojay key as <trusted-key id=... .../> and an empty <components> section in verification-metadata.xml like how most other projects work, but at the moment foojay needs an entry in the components section:

<component group="org.gradle.toolchains.foojay-resolver" name="org.gradle.toolchains.foojay-resolver.gradle.plugin" version="0.9.0">
    <artifact name="org.gradle.toolchains.foojay-resolver.gradle.plugin-0.9.0.pom">
        <sha256 value="daeec583f12c2b437c3557521826101197d90b92e3b64e44610b3f21d8bb0a5f" origin="Generated by Gradle" reason="Artifact is not signed"/>
    </artifact>
</component>

For other foojay artifacts, the signature is correctly validated via:

<trusted-key id="1BD97A6A154E7810EE0BC832E2F38302C8075E3D">
    <trusting group="org.gradle.kotlin" name="gradle-kotlin-dsl-plugins"/>
    <trusting group="org.gradle.toolchains" name="foojay-resolver"/>
</trusted-key>

Something that would be nice would be validation of the fetched JVM, but that's another topic.

[jbartok]

Seems like we are aware of the problem, will close this issue in favor of that one:

• Gradle should allow pom.xml customization for Gradle Plugin Portal artifacts plugin-portal-requests#212

[dsvensson]

Hah... and that other issue you linked now was created as a side effect of an issue I filed in s3 build cache plugin 2.5 years ago, forgot about that one. :)