Gradle Verification Metadata

Jan 1, 0001

Definition

Gradle Verification Metadata is a feature in Gradle that allows developers to verify the integrity and authenticity of dependencies used in a project. It works by storing checksums and signatures of dependencies in a metadata file, which can be checked against the actual artifacts during the build process. This ensures that the dependencies have not been tampered with and are from trusted sources, enhancing the security of the build process.

Secure Settings Example

// In your build.gradle file
verificationMetadata {
    // Define the verification metadata file
    metadataFile = file("gradle/verification-metadata.xml")

    // Enable verification for all dependencies
    verifyAll()
}

Insecure Settings Example

// In your build.gradle file
verificationMetadata {
    // Metadata file is not specified
    // No verification is performed
}

Gradle Verification Metadata

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter