Examples with ArtifactVerificationMetadata org.gradle.api.internal.artifacts.verification.model.ArtifactVerificationMetadata used on opensource projects

Example 1 with ArtifactVerificationMetadata

use of org.gradle.api.internal.artifacts.verification.model.ArtifactVerificationMetadata in project gradle by gradle.

the class DependencyVerifier method doVerifyArtifact.

private void doVerifyArtifact(ModuleComponentArtifactIdentifier foundArtifact, ChecksumService checksumService, SignatureVerificationService signatureVerificationService, File file, File signature, ArtifactVerificationResultBuilder builder) {
    PublicKeyService publicKeyService = signatureVerificationService.getPublicKeyService();
    ComponentVerificationMetadata componentVerification = verificationMetadata.get(toStringKey(foundArtifact.getComponentIdentifier()));
    if (componentVerification != null) {
        String foundArtifactFileName = foundArtifact.getFileName();
        List<ArtifactVerificationMetadata> verifications = componentVerification.getArtifactVerifications();
        for (ArtifactVerificationMetadata verification : verifications) {
            String verifiedArtifact = verification.getArtifactName();
            if (verifiedArtifact.equals(foundArtifactFileName)) {
                if (signature == null && config.isVerifySignatures()) {
                    builder.failWith(new MissingSignature(file));
                }
                if (signature != null) {
                    DefaultSignatureVerificationResultBuilder result = new DefaultSignatureVerificationResultBuilder(file, signature);
                    verifySignature(signatureVerificationService, file, signature, allTrustedKeys(foundArtifact, verification.getTrustedPgpKeys()), allIgnoredKeys(verification.getIgnoredPgpKeys()), result);
                    if (result.hasOnlyIgnoredKeys()) {
                        builder.failWith(new OnlyIgnoredKeys(file));
                        if (verification.getChecksums().isEmpty()) {
                            builder.failWith(new MissingChecksums(file));
                            return;
                        } else {
                            verifyChecksums(checksumService, file, verification, builder);
                            return;
                        }
                    }
                    if (result.hasError()) {
                        builder.failWith(result.asError(publicKeyService));
                        return;
                    }
                }
                verifyChecksums(checksumService, file, verification, builder);
                return;
            }
        }
    }
    if (signature != null) {
        // it's possible that the artifact is not listed explicitly but we can still verify signatures
        DefaultSignatureVerificationResultBuilder result = new DefaultSignatureVerificationResultBuilder(file, signature);
        verifySignature(signatureVerificationService, file, signature, allTrustedKeys(foundArtifact, Collections.emptySet()), allIgnoredKeys(Collections.emptySet()), result);
        if (result.hasError()) {
            builder.failWith(result.asError(publicKeyService));
            return;
        } else if (!result.hasOnlyIgnoredKeys()) {
            return;
        }
    }
    builder.failWith(new MissingChecksums(file));
}