build: verification-metadata.xml

[boolivar]

generated verification-metadata.xml

[qodo-code-review]

Review Summary by Qodo

Add Gradle verification metadata configuration

✨ Enhancement

Walkthroughs

Description

• Add Gradle verification metadata configuration file
• Enable dependency verification and checksum validation
• Support secure build artifact verification

Diagram

flowchart LR
  A["Build Configuration"] -- "adds verification rules" --> B["verification-metadata.xml"]
  B -- "enables" --> C["Dependency Verification"]
  C -- "validates" --> D["Build Security"]

Loading

File Changes

1. gradle/verification-metadata.xml ⚙️ Configuration changes +1335/-0

Add Gradle verification metadata configuration

• New Gradle verification metadata file for dependency verification
• Configures checksum validation rules for build artifacts
• Enables secure dependency resolution and validation

gradle/verification-metadata.xml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (3) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Ignored keys reduce security 🐞 Bug ⛨ Security

Description

Signature verification is enabled but many signing keys are explicitly ignored because they couldn’t
be downloaded. This weakens dependency signature verification (those signatures will be skipped) and
suggests key retrieval problems are expected/recurring in clean CI/dev environments.

Code

gradle/verification-metadata.xml[R4-36]

+      <verify-metadata>true</verify-metadata>
+      <verify-signatures>true</verify-signatures>
+      <ignored-keys>
+         <ignored-key id="09A79E1E15A04694" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="0CC0B712FEE75827" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="153E7A3C2B4E5118" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="164779204E106A76" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="218FA0F6A941A037" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="21A24B3F8B0F594A" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="2E55C136C4729D19" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="32AC66C4FBF15ECB" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="3D12CA2AC19F3181" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="3D5839A2262CBBFB" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="47933D17F199636B" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="56E73BA9A0B592D0" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="63F1DD7753B8B315" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="6601E5C08DCCBB96" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="6A0975F8B1127B83" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="6ED0F678B90EB06E" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="72475FD306B9CAB7" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="7A01B0F236E5430F" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="7C7D8456294423BA" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="A6EA2E2BF22E0543" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="BAC30622339994C4" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="BCF4173966770193" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="BFFC9B54721244AD" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="C71FB765CD9DE313" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="DEE12B9896F97E34" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="F13D3E721D56BD54" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="F2A01147D830C125" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="F3D1600878E85A3D" reason="Key couldn't be downloaded from any key server"/>
+         <ignored-key id="F4CABFB5B89B8BE6" reason="Key couldn't be downloaded from any key server"/>
+      </ignored-keys>

Evidence

The dependency verification configuration enables signature verification while simultaneously
declaring a large set of ignored keys due to key download failures. This combination degrades the
security value of signature verification and indicates operational keyserver reachability issues.

gradle/verification-metadata.xml[3-36]
buildSrc/build.gradle[5-18]
buildSrc/src/main/groovy/java-conventions.gradle[75-77]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`gradle/verification-metadata.xml` enables signature verification but lists many ignored keys with reason "Key couldn't be downloaded from any key server". This undermines the intended security guarantees and can hide problems with key retrieval.

### Issue Context
Gradle will use `gradle/verification-metadata.xml` automatically for dependency verification. With `verify-signatures=true`, builds may attempt PGP verification, but ignored keys mean some signatures won’t be validated as intended.

### Fix Focus Areas
- gradle/verification-metadata.xml[4-36]
- (If choosing to keep signature verification) add/build documentation or Gradle settings to ensure key retrieval works consistently in CI (e.g., configured key servers or a checked-in keyring).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. PGP-only artifacts brittle 🐞 Bug ⛯ Reliability

Description

Some artifacts in the verification metadata are verified only via PGP (no sha256 checksum). With
verify-signatures=true, this makes builds brittle: if signature/key retrieval fails (which already
occurred for other components), there’s no checksum fallback for these artifacts.

Code

gradle/verification-metadata.xml[R256-260]

+      <component group="com.google.guava" name="guava-parent" version="26.0-android">
+         <artifact name="guava-parent-26.0-android.pom">
+            <pgp value="694621A7227D8D5289699830ABE9F3126BB741C1"/>
+         </artifact>
+      </component>

Evidence

The metadata contains artifacts that have only <pgp .../> entries and no <sha256 .../>. The same
file also records that key download failures happened for other components, demonstrating that PGP
key retrieval is not guaranteed, which can cause verification failures for PGP-only artifacts.

gradle/verification-metadata.xml[4-6]
gradle/verification-metadata.xml[256-260]
gradle/verification-metadata.xml[540-544]
gradle/verification-metadata.xml[612-616]
gradle/verification-metadata.xml[241-244]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Several artifacts in `gradle/verification-metadata.xml` are PGP-only (no sha256). With `verify-signatures=true`, verification depends on PGP signature + key retrieval, which can fail in CI or restricted networks.

### Issue Context
The same metadata records key download failures for other dependencies, so relying exclusively on PGP for some artifacts is risky.

### Fix Focus Areas
- gradle/verification-metadata.xml[4-6]
- gradle/verification-metadata.xml[256-260]
- gradle/verification-metadata.xml[540-544]
- gradle/verification-metadata.xml[612-616]
- gradle/verification-metadata.xml[241-244]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

3. Broad trusted-key regex 🐞 Bug ⛨ Security

Description

Some trusted keys are scoped with very broad regex patterns (e.g., all com.google.* or all
org.apache.*). This increases the blast radius of a compromised trusted key and reduces the value
of dependency verification by trusting more coordinates than necessary.

Code

gradle/verification-metadata.xml[R142-147]

+         <trusted-key id="EE0CA873074092F806F59B65D364ABAA39A47320" group="^com[.]google($|([.].*))" regex="true"/>
+         <trusted-key id="F254B35617DC255D9344BCFA873A8E86B4372146" group="org.codehaus.plexus"/>
+         <trusted-key id="FA77DCFEF2EE6EB2DEBEDD2C012579464D01C06A">
+            <trusting group="org.codehaus.plexus"/>
+            <trusting group="^org[.]apache($|([.].*))" regex="true"/>
+         </trusted-key>

Evidence

The trusted-keys configuration includes regex-based trust rules that match large coordinate ranges,
not just the specific modules used by this build.

gradle/verification-metadata.xml[142-147]
gradle/verification-metadata.xml[40-41]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
Trusted PGP keys are currently scoped via regex to very broad group ranges (e.g., all `com.google.*`, all `org.apache.*`). This expands the set of artifacts that will be trusted under a single key.

### Issue Context
The broader the trusted scope, the less useful dependency verification becomes as a defense-in-depth control.

### Fix Focus Areas
- gradle/verification-metadata.xml[40-41]
- gradle/verification-metadata.xml[142-147]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[qodo-code-review]

1. Ignored keys reduce security 🐞 Bug ⛨ Security

Signature verification is enabled but many signing keys are explicitly ignored because they couldn’t
be downloaded. This weakens dependency signature verification (those signatures will be skipped) and
suggests key retrieval problems are expected/recurring in clean CI/dev environments.

Agent Prompt

### Issue description
`gradle/verification-metadata.xml` enables signature verification but lists many ignored keys with reason "Key couldn't be downloaded from any key server". This undermines the intended security guarantees and can hide problems with key retrieval.

### Issue Context
Gradle will use `gradle/verification-metadata.xml` automatically for dependency verification. With `verify-signatures=true`, builds may attempt PGP verification, but ignored keys mean some signatures won’t be validated as intended.

### Fix Focus Areas
- gradle/verification-metadata.xml[4-36]
- (If choosing to keep signature verification) add/build documentation or Gradle settings to ensure key retrieval works consistently in CI (e.g., configured key servers or a checked-in keyring).

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[qodo-code-review]

2. Pgp-only artifacts brittle 🐞 Bug ⛯ Reliability

Some artifacts in the verification metadata are verified only via PGP (no sha256 checksum). With
verify-signatures=true, this makes builds brittle: if signature/key retrieval fails (which already
occurred for other components), there’s no checksum fallback for these artifacts.

Agent Prompt

### Issue description
Several artifacts in `gradle/verification-metadata.xml` are PGP-only (no sha256). With `verify-signatures=true`, verification depends on PGP signature + key retrieval, which can fail in CI or restricted networks.

### Issue Context
The same metadata records key download failures for other dependencies, so relying exclusively on PGP for some artifacts is risky.

### Fix Focus Areas
- gradle/verification-metadata.xml[4-6]
- gradle/verification-metadata.xml[256-260]
- gradle/verification-metadata.xml[540-544]
- gradle/verification-metadata.xml[612-616]
- gradle/verification-metadata.xml[241-244]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.35%. Comparing base (3225ff9) to head (fe205c0).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##             master     #127   +/-   ##
=========================================
  Coverage     90.35%   90.35%           
  Complexity      172      172           
=========================================
  Files            36       36           
  Lines           477      477           
  Branches         21       21           
=========================================
  Hits            431      431           
  Misses           39       39           
  Partials          7        7           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.