Commit aab511f1 authored by Moxie Marlinspike's avatar Moxie Marlinspike
Browse files

Updated readme

parent 02ad7bc0
......@@ -2,7 +2,7 @@
A gradle plugin that enables static verification for remote dependencies.
Build systems like gradle and maven allow one to specify dependencies on versioned artifacts. An
Build systems like gradle and maven allow one to specify dependencies for versioned artifacts. An
Android project might list dependencies like this:
dependency {
......@@ -71,7 +71,7 @@ is later compromised, an attacker won't be able to undetectably modify these art
## Using Witness
Unfortunately, it doesn't make sense to publish `gradle-witness` as an artifact, since that
creates a bootstrapping problem. To use, `gradle-witness`, the jar needs to be built and included
creates a bootstrapping problem. To use `gradle-witness`, the jar needs to be built and included
in your project:
$ git clone https://github.com/WhisperSystems/gradle-witness.git
......@@ -92,6 +92,8 @@ It might look something like:
}
}
apply plugin: 'witness'
At this point you can use `gradle-witness` in your project. If you're feeling "trusting on first
use," you can have `gradle-witness` calculate the sha256sum for all your project's dependencies
(and transitive dependencies!) for you:
......@@ -122,4 +124,4 @@ Running `gradle -q calculateChecksums` will print:
...which you can then include directly below the `dependency` definition in the project's `build.gradle`.
And that's it! From then on, running a standard `gradle build` will verify the integrity of
the project's dependencies.
\ No newline at end of file
the project's dependencies.
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment