Trust unsigned files so that the 'components' section is empty

jjohannes · jjohannes · commit e85a2d4ee354 · 2025-11-07T14:20:07.000+01:00
This is closer to how it should eventually be. Ideally, all artifacts
would be signed and we would solely rely on signature verification.
diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml
@@ -2,14 +2,17 @@
 <verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.3.xsd">
    <configuration>
       <verify-metadata>false</verify-metadata>
-      <!-- use 'TRUE' instead of 'true' so that Renovate ignores it -->
+      <!-- use 'TRUE' instead of 'true' so that Renovate ignores it: https://github.com/renovatebot/renovate/discussions/39029 -->
       <verify-signatures>TRUE</verify-signatures>
       <keyring-format>armored</keyring-format>
       <key-servers enabled="false"/>
       <trusted-artifacts>
          <trust file=".*-javadoc[.]jar" regex="true"/>
          <trust file=".*-sources[.]jar" regex="true"/>
          <trust file="^gradle-\d+\.\d+(?:\.\d+)?(?:-(?:rc|milestone)-\d+)?-src\.zip$" regex="true"/>
+         <!-- explicitly trust unsigned artifacts -->
+         <trust file="asciidoctor-gradle-base-4.0.5.jar"/>
+         <trust file="asciidoctor-gradle-jvm-4.0.5.jar"/>
       </trusted-artifacts>
       <trusted-keys>
          <!-- BUILD: CONVENTIONS -->
@@ -132,15 +135,5 @@
       </trusted-keys>
    </configuration>
    <components>
-      <component group="org.asciidoctor" name="asciidoctor-gradle-base" version="4.0.5">
-         <artifact name="asciidoctor-gradle-base-4.0.5.jar">
-            <md5 value="64435768c6cb3a803af61ea632f0bd93" origin="Downloaded the file from https://plugins.gradle.org/m2/org/asciidoctor/asciidoctor-gradle-base/4.0.5 and generated the checksum locally" reason="Artifact is not signed"/>
-         </artifact>
-      </component>
-      <component group="org.asciidoctor" name="asciidoctor-gradle-jvm" version="4.0.5">
-         <artifact name="asciidoctor-gradle-jvm-4.0.5.jar">
-            <md5 value="46c3fea67502a15834e020f185775c60" origin="Downloaded the file from https://plugins.gradle.org/m2/org/asciidoctor/asciidoctor-gradle-jvm/4.0.5 and generated the checksum locally" reason="Artifact is not signed"/>
-         </artifact>
-      </component>
    </components>
 </verification-metadata>
