1## wrapper/gradle-wrapper.properties
2
3Keeps track of Gradle version used by androidx. When updating the version a new version prebuilt needs to be added to `tools/external/gradle` repository.
4
5## libs.versions.toml
6
7Keeps track of library and plugin dependencies used by androidx. Adding or updating a library there requires running `./development/importMaven/importMaven.sh myartifact:here:1.0.0`
8
9## verification-keyring.keys
10
11Checked-in [local keyring](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:local-keyring)
12that is used to avoid reaching out to key servers whenever a key is required by Gradle to verify an
13artifact.
14
15AndroidX only uses human readable `verification-keyring.keys`. Gradle also generates binary
16`verification-keyring.gpg`, but it is optional, and thus we do not use it.
17
18To update this file, after adding the relevant dependencies to the build, run:
19```
20development/update-verification-metadata.sh
21```
22
23## verification-metadata.xml
24
25[Configuration file for Gradle dependency verification](https://docs.gradle.org/current/userguide/dependency_verification.html#sub:verification-metadata) used by androidx to make sure dependencies are [signed with trusted signatures](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:signature-verificationn) and that unsigned artifacts have [expected checksums](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:checksum-verification).
26
27When adding a new artifact, first run:
28```
29development/update-verification-metadata.sh
30```
31to trust the signature (or checksum) of the new artifact.
32
33Then, if any checksums were added, make sure they're associated with a bug that is tracking
34an effort to build or acquire a signed version of this dependency.  To associate with a bug,
35please add an `androidx:reason` attribute to a string that contains a URL for a bug filed
36either in buganizer or github:
37
38```xml
39<component group="g" name="g" version="3.1" androidx:reason="Unsigned b/8675309">
40  <artifact name="g-3.1.jar">
41    <sha256
42      value="f5759b7fcdfc83a525a036deedcbd32e5b536b625ebc282426f16ca137eb5902"
43      origin="Generated by Gradle"
44    />
45  </artifact>
46</component>
47```
48
49### If that doesn't work.
50
51If the artifact is not signed, and does not get automatically added to
52verification-metadata.xml when you go through the above process, it's possible it's a
53dependency of a [detached configuration](https://docs.gradle.org/current/userguide/dependency_verification.html#sec:bootstrapping-verification).
54
55In this case, your best option may be to generate and add the checksum by hand, to at least
56protect against any future tampering with the current artifact file.  To do this, for an
57artifact file foo.tar.gz, run: `sha256 foo.tar.gz`.  This will generate a sha256 checksum that
58you can hand-add to verification-metadata.xml following the example of other entries.  For
59example, this is where the current checksum for kotlin-native-prebuilt-linux-x86_64 came from.
60