Gradle artifact not signed

The latest release does not include signatures which keeps this plugin locked out from Gradle Dependency Verification workflow. Almost all living projects are signed nowadays, Sonar ought to be as well.

https://docs.gradle.org/current/userguide/dependency_verification.html
https://plugins.gradle.org/m2/org/sonarqube/org.sonarqube.gradle.plugin/6.0.0.5145/

This means that users of Sonar are required to update the checksum in verification-metadata.xml every single update instead of just accepting a dependabot PR that passes CI execution. Please fix.

1 Like

Hey @Daniel_Svensson,
Welcome to the community and thank you very much for this feedback!

I created a ticket to track the issue.
We cannot commit exactly when this will be tackled, but we will be looking at it soon.

Cheers,

Dorian

1 Like