use of org.gradle.api.internal.artifacts.verification.model.ArtifactVerificationMetadata in project gradle by gradle.
the class DependencyVerifier method doVerifyArtifact.
private void doVerifyArtifact(ModuleComponentArtifactIdentifier foundArtifact, ChecksumService checksumService, SignatureVerificationService signatureVerificationService, File file, File signature, ArtifactVerificationResultBuilder builder) {
PublicKeyService publicKeyService = signatureVerificationService.getPublicKeyService();
ComponentVerificationMetadata componentVerification = verificationMetadata.get(toStringKey(foundArtifact.getComponentIdentifier()));
if (componentVerification != null) {
String foundArtifactFileName = foundArtifact.getFileName();
List<ArtifactVerificationMetadata> verifications = componentVerification.getArtifactVerifications();
for (ArtifactVerificationMetadata verification : verifications) {
String verifiedArtifact = verification.getArtifactName();
if (verifiedArtifact.equals(foundArtifactFileName)) {
if (signature == null && config.isVerifySignatures()) {
builder.failWith(new MissingSignature(file));
}
if (signature != null) {
DefaultSignatureVerificationResultBuilder result = new DefaultSignatureVerificationResultBuilder(file, signature);
verifySignature(signatureVerificationService, file, signature, allTrustedKeys(foundArtifact, verification.getTrustedPgpKeys()), allIgnoredKeys(verification.getIgnoredPgpKeys()), result);
if (result.hasOnlyIgnoredKeys()) {
builder.failWith(new OnlyIgnoredKeys(file));
if (verification.getChecksums().isEmpty()) {
builder.failWith(new MissingChecksums(file));
return;
} else {
verifyChecksums(checksumService, file, verification, builder);
return;
}
}
if (result.hasError()) {
builder.failWith(result.asError(publicKeyService));
return;
}
}
verifyChecksums(checksumService, file, verification, builder);
return;
}
}
}
if (signature != null) {
// it's possible that the artifact is not listed explicitly but we can still verify signatures
DefaultSignatureVerificationResultBuilder result = new DefaultSignatureVerificationResultBuilder(file, signature);
verifySignature(signatureVerificationService, file, signature, allTrustedKeys(foundArtifact, Collections.emptySet()), allIgnoredKeys(Collections.emptySet()), result);
if (result.hasError()) {
builder.failWith(result.asError(publicKeyService));
return;
} else if (!result.hasOnlyIgnoredKeys()) {
return;
}
}
builder.failWith(new MissingChecksums(file));
}
Aggregations