Update dependencies and enable dependency verification in Gradle

Here's another attempt to enable Gradle dependency verification. I've tried to do this a couple of times before, but always ran into issues. With a helper script borrowed from a different project, hopefully this will finally work reliably. Every time we update Gradle or a dependency, the script I mentioned needs to be run to update the list of checksums. The script runs the build, the tests and the instrumented tests. This is necessary because apparently Gradle is not able to discover all dependencies without actually running the build tasks. It's a little bit annoying that this Gradle feature is so half-baked that we need a helper script to make things work, but I think it's worth it.
2025-06-18 15:15:25 +00:00 · 2024-03-24 15:18:56 +01:00 · 2024-03-24 15:18:56 +01:00 · 004cfbed4e
commit 004cfbed4e
parent 3c124deae1
6 changed files with 3897 additions and 111 deletions
--- a/app/build.gradle
+++ b/app/build.gradle
@ -133,10 +133,10 @@ aboutLibraries {
 }

 dependencies {
-    def cameraxVersion = '1.3.1'
+    def cameraxVersion = '1.3.2'
    def glideVersion = '4.16.0'
-    def guavaVersion = '33.0.0'
-    def hiltVersion = '2.50'
+    def guavaVersion = '33.1.0'
+    def hiltVersion = '2.51.1'
    def junitVersion = '4.13.2'
    def libsuVersion = '5.2.2'

@ -154,7 +154,7 @@ dependencies {
    implementation "androidx.core:core:1.12.0"
    implementation 'androidx.constraintlayout:constraintlayout:2.1.4'
    implementation 'androidx.documentfile:documentfile:1.0.1'
-    implementation "androidx.lifecycle:lifecycle-process:2.6.2"
+    implementation "androidx.lifecycle:lifecycle-process:2.7.0"
    implementation "androidx.preference:preference:1.2.1"
    implementation 'androidx.recyclerview:recyclerview:1.3.2'
    implementation "androidx.viewpager2:viewpager2:1.0.0"
@ -171,18 +171,18 @@ dependencies {
    implementation "com.github.topjohnwu.libsu:io:${libsuVersion}"
    implementation "com.google.guava:guava:${guavaVersion}-android"
    implementation 'com.google.android.material:material:1.11.0'
-    implementation 'com.google.protobuf:protobuf-javalite:3.25.1'
-    implementation 'com.google.zxing:core:3.5.2'
-    implementation("com.mikepenz:aboutlibraries:11.1.0") {
+    implementation 'com.google.protobuf:protobuf-javalite:4.26.1'
+    implementation 'com.google.zxing:core:3.5.3'
+    implementation('com.mikepenz:aboutlibraries:11.1.1') {
        exclude group: 'com.mikepenz', module: 'aboutlibraries-core'
    }
-    implementation "com.mikepenz:aboutlibraries-core-android:11.1.0"
-    implementation 'com.nulab-inc:zxcvbn:1.8.2'
+    implementation 'com.mikepenz:aboutlibraries-core-android:11.1.1'
+    implementation 'com.nulab-inc:zxcvbn:1.9.0'
    implementation 'de.hdodenhof:circleimageview:3.1.0'
    implementation 'net.lingala.zip4j:zip4j:2.11.5'
    implementation 'info.guardianproject.trustedintents:trustedintents:0.2'
-    implementation 'org.bouncycastle:bcprov-jdk18on:1.77'
-    implementation "org.simpleflatmapper:sfm-csv:8.2.3"
+    implementation 'org.bouncycastle:bcprov-jdk18on:1.78'
+    implementation 'org.simpleflatmapper:sfm-csv:9.0.0'

    androidTestAnnotationProcessor "com.google.dagger:hilt-android-compiler:$hiltVersion"
    androidTestImplementation "com.google.dagger:hilt-android-testing:$hiltVersion"
@ -199,8 +199,8 @@ dependencies {
    testImplementation 'androidx.test:core:1.5.0'
    testImplementation "com.google.guava:guava:${guavaVersion}-jre"
    testImplementation "junit:junit:${junitVersion}"
-    testImplementation 'org.json:json:20231013'
-    testImplementation 'org.robolectric:robolectric:4.11.1'
+    testImplementation 'org.json:json:20240303'
+    testImplementation 'org.robolectric:robolectric:4.12.1'

    coreLibraryDesugaring 'com.android.tools:desugar_jdk_libs:2.0.4'
 }
--- a/app/src/main/res/raw/aboutlibraries.json
+++ b/app/src/main/res/raw/aboutlibraries.json
--- a/build.gradle
+++ b/build.gradle
@ -6,8 +6,8 @@ buildscript {
        google()
    }
    dependencies {
-        classpath 'com.android.tools.build:gradle:8.2.0'
-        classpath 'com.google.dagger:hilt-android-gradle-plugin:2.50'
+        classpath 'com.android.tools.build:gradle:8.3.1'
+        classpath 'com.google.dagger:hilt-android-gradle-plugin:2.51.1'
        classpath 'com.google.protobuf:protobuf-gradle-plugin:0.9.4'

        // NOTE: Do not place your application dependencies here; they belong
@ -21,8 +21,8 @@ plugins {

 allprojects {
    repositories {
-        mavenCentral()
        google()
+        mavenCentral()
        maven { url 'https://jitpack.io' }
        maven {
            url 'https://jcenter.bintray.com'
--- a/gradle/update_verification.py
+++ b/gradle/update_verification.py
@ -0,0 +1,127 @@
+#!/usr/bin/env python3
+
+# Based on: https://github.com/chenxiaolong/BCR/blob/6f1f30cf89f7d564870fe61791a490649cfb0ea0/gradle/update_verification.py
+# License: GPL-3.0
+
+import hashlib
+import io
+import os
+import subprocess
+import sys
+import tempfile
+import urllib.request
+import xml.etree.ElementTree as ET
+
+
+GOOGLE_MAVEN_REPO = 'https://dl.google.com/android/maven2'
+
+
+def add_source_exclusions(ns, root):
+    configuration = root.find(f'{{{ns}}}configuration')
+    trusted_artifacts = ET.SubElement(
+        configuration, f'{{{ns}}}trusted-artifacts')
+
+    for regex in [
+        r'.*-javadoc[.]jar',
+        r'.*-sources[.]jar',
+        r'.*-src[.]zip',
+    ]:
+        ET.SubElement(trusted_artifacts, f'{{{ns}}}trust', attrib={
+            'file': regex,
+            'regex': 'true',
+        })
+
+
+def add_missing_aapt2_platforms(ns, root):
+    components = root.find(f'{{{ns}}}components')
+    aapt2 = components.find(f'{{{ns}}}component[@name="aapt2"]')
+
+    for platform in ['linux', 'osx', 'windows']:
+        group = aapt2.attrib['group']
+        name = aapt2.attrib['name']
+        version = aapt2.attrib['version']
+        filename = f'{name}-{version}-{platform}.jar'
+
+        if aapt2.find(f'{{{ns}}}artifact[@name="{filename}"]') is not None:
+            continue
+
+        path = f'{group.replace(".", "/")}/{name}/{version}/{filename}'
+        url = f'{GOOGLE_MAVEN_REPO}/{path}'
+
+        with urllib.request.urlopen(url) as r:
+            if r.status != 200:
+                raise Exception(f'{url} returned HTTP {r.status}')
+
+            digest = hashlib.file_digest(r, 'sha512')
+
+        artifact = ET.SubElement(aapt2, f'{{{ns}}}artifact',
+                                 attrib={'name': filename})
+
+        ET.SubElement(artifact, f'{{{ns}}}sha512', attrib={
+            'value': digest.hexdigest(),
+            'origin': 'Generated by Gradle',
+        })
+
+    aapt2[:] = sorted(aapt2, key=lambda child: child.attrib['name'])
+
+
+def patch_xml(path):
+    tree = ET.parse(path)
+    root = tree.getroot()
+
+    ns = 'https://schema.gradle.org/dependency-verification'
+    ET.register_namespace('', ns)
+
+    # Add exclusions to allow Android Studio to download sources.
+    add_source_exclusions(ns, root)
+
+    # Gradle only adds the aapt2 entry for the host OS. We have to manually add
+    # the checksums for the other major desktop OSs.
+    add_missing_aapt2_platforms(ns, root)
+
+    # Match gradle's formatting exactly.
+    ET.indent(tree, '   ')
+    root.tail = '\n'
+
+    with io.BytesIO() as f:
+        # etree's xml_declaration=True uses single quotes in the header.
+        f.write(b'<?xml version="1.0" encoding="UTF-8"?>\n')
+        tree.write(f)
+        serialized = f.getvalue().replace(b' />', b'/>')
+
+    with open(path, 'wb') as f:
+        f.write(serialized)
+
+
+def main():
+    root_dir = os.path.join(sys.path[0], '..')
+    xml_file = os.path.join(sys.path[0], 'verification-metadata.xml')
+
+    try:
+        os.remove(xml_file)
+    except FileNotFoundError:
+        pass
+
+    for tasks in [
+        ['build', 'connectedCheck'],
+        ['app:exportLibraryDefinitions', '-PaboutLibraries.exportPath=src/main/res/raw']]:
+
+        with tempfile.TemporaryDirectory() as temp_dir:
+            env = os.environ | {'GRADLE_USER_HOME': temp_dir}
+
+            subprocess.check_call(
+                [
+                    './gradlew' + ('.bat' if os.name == 'nt' else ''),
+                    '--write-verification-metadata', 'sha512',
+                    '--no-daemon',
+                    '--rerun-tasks'
+                ] + tasks,
+                env=env,
+                cwd=root_dir,
+            )
+
+    patch_xml(xml_file)
+
+
+if __name__ == '__main__':
+    main()
--- a/gradle/verification-metadata.xml
+++ b/gradle/verification-metadata.xml
--- a/gradle/wrapper/gradle-wrapper.properties
+++ b/gradle/wrapper/gradle-wrapper.properties
@ -1,6 +1,7 @@
 #Tue Aug 15 23:01:16 CEST 2023
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-8.2-bin.zip
+distributionSha256Sum=f2b9ed0faf8472cbe469255ae6c86eddb77076c75191741b4a462f33128dd419
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.4-all.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists