After years of being one of the few to keep pushing dependency verification and even #PGP signatures on binaries, while getting responses like "gpg in 2022? wtf?", it is gratifying to see that not only has #Gradle full adopted this workflow, but also #Android developers at Google:
https://android.googlesource.com/platform/frameworks/support/+/HEAD/gradle/verification-keyring.keys
@eighthave there are still a few bugs in Gradle in signature verification feature that I'd like fixed. We had to write https://cs.android.com/androidx/platform/frameworks/support/+/androidx-main:development/update-verification-metadata.sh to work around them
@eighthave The bugs we have filed so far have been https://github.com/gradle/gradle/issues?q=is%3Aissue+is%3Aopen+author%3Aliutikas+signature and https://github.com/gradle/gradle/issues?q=is%3Aissue+is%3Aopen+author%3Amathjeff+signature+
We managed to fix a few things for Gradle 8.0, but this feature still needs a fair bit of love.