Gradle artifact not signed

Daniel_Svensson · November 22, 2024, 7:44am

The latest release does not include signatures which keeps this plugin locked out from Gradle Dependency Verification workflow. Almost all living projects are signed nowadays, Sonar ought to be as well.

https://docs.gradle.org/current/userguide/dependency_verification.html
https://plugins.gradle.org/m2/org/sonarqube/org.sonarqube.gradle.plugin/6.0.0.5145/

This means that users of Sonar are required to update the checksum in verification-metadata.xml every single update instead of just accepting a dependabot PR that passes CI execution. Please fix.

Dorian_Burihabwa · November 26, 2024, 9:24am

Hey @Daniel_Svensson,
Welcome to the community and thank you very much for this feedback!

I created a ticket to track the issue.
We cannot commit exactly when this will be tackled, but we will be looking at it soon.

Cheers,

Dorian

Topic		Replies	Views
Gradle Plugin attempts to download from Bintray (broken as of 2021-11-09) SonarQube Server / Community Build gradle , scanner , ssl	3	1077	November 15, 2021
Gradle build fails due to `org.sonarsource.parent:parent:52` artifact missing in plugins.gradle.org Maven repo SonarQube Cloud scanner	3	1544	October 20, 2020
Sonarqube Gradle plugin and Composite Builds SonarQube Server / Community Build	6	1471	August 1, 2024
Sonar Scanner via sonarqube gradle plugin - huge performance drop since Version 4.3 SonarQube Server / Community Build gradle , scanner	2	442	December 20, 2023
SonarScan for gradle, empty scan results SonarQube Server / Community Build	10	34	December 11, 2024

Gradle artifact not signed

Related topics