Gradle signature verification fails when gradle module metadata uses a relative path redirect #28862
Labels
a:bug
in:dependency-verification
trustkey truststore checksum signature
👋 team-triage
Issues that need to be triaged by a specific team
Current Behavior
Guava started publishing artifacts with gradle module metadata. Their metadata uses
in https://repo1.maven.org/maven2/com/google/guava/guava/32.1.3-android/guava-32.1.3-android.module for making sure that consumers get the correct variant.
Gradle signature verification fails in such a "swap". It does not even seem to find .asc file as it only does checksum verification.
Expected Behavior
Signature verification passes as
../32.1.3-jre/guava-32.1.3-jre.jar.asc
exists and is validContext (optional)
Additional details in the guava tracker google/guava#7154
Steps to Reproduce
Gradle version
8.7
Build scan URL (optional)
https://scans.gradle.com/s/bcgzjbu55sm7y
Your Environment (optional)
No response
The text was updated successfully, but these errors were encountered: