ppkarwasz opened a new pull request, #3828: URL: https://github.com/apache/solr/pull/3828
# Description This PR replaces Solr’s custom dependency verification with [Gradle’s built-in Verification Metadata](https://docs.gradle.org/current/userguide/dependency_verification.html), as proposed in [SOLR-17657](https://issues.apache.org/jira/browse/SOLR-17657). Gradle’s mechanism provides a standardized and well-maintained way to verify dependencies **before** they are used, including all runtime and plugin artifacts. Benefits: * Managed and updated by Gradle itself * Enforces verification *prior* to dependency usage * Covers **all** artifacts, including Gradle plugins and their transitive dependencies # Approach This change builds on Solr’s existing verified checksums stored in `solr/licenses`, ensuring a safe transition without discarding previously verified data. Additional checksums (for POMs, Gradle module files, plugins, and their dependencies) were generated using Gradle’s bootstrap procedure: ```bash ./gradlew --write-verification-metadata sha256 ``` This follows the *Trust On First Use (TOFU)* model and the generated entries are explicitly marked as “Generated by Gradle”. > [!WARNING] > This PR is a **work in progress**, focused on achieving parity with Solr’s current checksum verification. > > Feedback is welcome on how to handle **future dependency upgrades** securely. One possible next step is adding **PGP signature verification** using TOFU-based keys that can later be replaced with verified fingerprints. > > While this wouldn’t prove artifact provenance, it would detect key changes and fail the build for manual review. # How to Review Because this PR moves hundreds of checksum entries, manual line-by-line review isn’t practical. Copilot might actually be useful here. For a manual review, here’s a recommended verification process: ## Step 1: Verify SHA-1 checksum migration A helper script `generate-verification-metadata.sh` is included. It reproduces the migration from Solr’s legacy SHA-1 data to Gradle’s verification format. You can verify that the migration output matches what’s committed: ```bash # Fetch and checkout PR git fetch [email protected]:vex-generation-toolset/solr.git feat/gradle-verification-metadata # Checkout migration commit git checkout 039d1eadfcf50b4fd82a59f723b4a6d39c0af767 # Review and run the migration script ./generate-verification-metadata.sh # Backup generated metadata mv gradle/verification-metadata.xml{,.bak} # Checkout the next commit git reset --hard git checkout cfddb94df111bd91ae67ad5ccbc7288672d48022 # Compare your generated metadata with the committed version diff gradle/verification-metadata.xml{,.bak} ``` If the files match, the migration is confirmed. ## Step 2: Review SHA-256 generation Commit 1f255ae7be952514cfd1e32f9aac29d773439b62 adds SHA-256 checksums for artifacts not previously verified. Because the migration script preserved line order consistent with Gradle’s `--write-verification-metadata` output, this commit **only adds** new entries, it does **not** modify or remove existing ones. ## Step 3: Build verification To confirm that dependency verification works end-to-end: ```bash ./gradlew check ``` This ensures the build succeeds with the new verification metadata enabled. # Checklist Please review the following and check all that apply: - [x] I have reviewed the guidelines for [How to Contribute](https://github.com/apache/solr/blob/main/CONTRIBUTING.md) and my code conforms to the standards described there to the best of my ability. - [x] I have created a Jira issue and added the issue ID to my pull request title. - [x] I have given Solr maintainers [access](https://help.github.com/en/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork) to contribute to my PR branch. (optional but recommended, not available for branches on forks living under an organisation) - [x] I have developed this patch against the `main` branch. - [x] I have run `./gradlew check`. - [x] I have added tests for my changes. - [ ] I have added documentation for the [Reference Guide](https://github.com/apache/solr/tree/main/solr/solr-ref-guide) - [ ] I have added a [changelog entry](https://github.com/apache/solr/blob/main/dev-docs/changelog.adoc) for my change -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
