Gradle artifact not signed

Daniel_Svensson · November 22, 2024, 7:44am

The latest release does not include signatures which keeps this plugin locked out from Gradle Dependency Verification workflow. Almost all living projects are signed nowadays, Sonar ought to be as well.

https://docs.gradle.org/current/userguide/dependency_verification.html
https://plugins.gradle.org/m2/org/sonarqube/org.sonarqube.gradle.plugin/6.0.0.5145/

This means that users of Sonar are required to update the checksum in verification-metadata.xml every single update instead of just accepting a dependabot PR that passes CI execution. Please fix.

Dorian_Burihabwa · November 26, 2024, 9:24am

Hey @Daniel_Svensson,
Welcome to the community and thank you very much for this feedback!

I created a ticket to track the issue.
We cannot commit exactly when this will be tackled, but we will be looking at it soon.

Cheers,

Dorian

Topic		Replies	Views
Sonarcloud dependency-check is not working for gradle project SonarQube Cloud	3	630	June 27, 2023
Gradle Plugin attempts to download from Bintray (broken as of 2021-11-09) SonarQube Server / Community Build gradle , scanner , ssl	3	1081	November 15, 2021
Results are not uploaded in sonar after gradle scan SonarQube Server / Community Build	1	408	August 5, 2022
Gradle build fails due to `org.sonarsource.parent:parent:52` artifact missing in plugins.gradle.org Maven repo SonarQube Cloud scanner	3	1547	October 20, 2020
Sonarqube Gradle plugin and Composite Builds SonarQube Server / Community Build	6	1479	August 1, 2024

Gradle artifact not signed

Related topics