we run our gradle builds on a central server, which caches dependencies and even shares them among projects.
We were concerned that a malicious job might change a dependency for a forged one.
Is there a way to validate our local copy's hash with the one on the dependency server we use? Thank you!
There is a nice Gradle plugin called Gradle Witness which can solve this issue.
When gradle retrieves the artifact, it will also retrieve the md5sum and sha1sums to verify that they match the calculated md5sum and sha1sum of the retrieved files. The problem, obviously, is that if someone is able to compromise the remote maven repository and change the jar/aar for a dependency to include some malicious functionality, they could just as easily change the md5sum and sha1sum values the repository advertises as well
This gradle plugin simply allows the author of a project to statically specify the sha256sum of the dependencies that it uses.
Moreover, take a look at this SO question about dependency authenticity, it could interest you too.
