Difference between revisions of "Adding Dependencies to fdroidcient"

From F-Droid
Jump to: navigation, search
(Created page with "When adding new 3rd party dependencies to the fdroidclient project, the SHA256 sums of each dependency needs to be added to the build file. This ensures that people building f...")
 
m
 
Line 1: Line 1:
When adding new 3rd party dependencies to the fdroidclient project, the SHA256 sums of each dependency needs to be added to the build file. This ensures that people building fdroidclient will not have incorrect dependencies maliciously or mistakenly used to build the software. To do this, you can:
+
When adding new 3rd party dependencies to the fdroidclient project, the SHA256 sums of each dependency needs to be added to the build file. This ensures that people building fdroidclient will not have incorrect dependencies maliciously or mistakenly used to build the software.
 +
 
 +
The way this works is by using the "dependencyVerification" in the [https://gitlab.com/fdroid/fdroidclient/blob/master/F-Droid/build.gradle#L61 F-Droid/build.gradle] file. At the time of writing it looks like this:
 +
 
 +
  dependencyVerification {
 +
    verify = [
 +
      'com.android.support:support-v4:c62f0d025dafa86f423f48df9185b0d89496adbc5f6a9be5a7c394d84cf91423',
 +
      'com.android.support:appcompat-v7:4b5ccba8c4557ef04f99aa0a80f8aa7d50f05f926a709010a54afd5c878d3618',
 +
      'com.android.support:support-annotations:104f353b53d5dd8d64b2f77eece4b37f6b961de9732eb6b706395e91033ec70a',
 +
      'com.nostra13.universalimageloader:universal-image-loader:dbd5197ffec3a8317533190870a7c00ff3750dd6a31241448c6a5522d51b65b4',
 +
      'com.google.zxing:core:b4d82452e7a6bf6ec2698904b332431717ed8f9a850224f295aec89de80f2259',
 +
      'eu.chainfire:libsuperuser:952c5fc82f9c31d31d2b6a7054ee267dac1685fb037a254888c73c48de661eaf',
 +
      'cc.mvdan.accesspoint:library:dc89a085d6bc40381078b8dd7776b12bde0dbaf8ffbcddb17ec4ebc3edecc7ba',
 +
      'commons-net:commons-net:38cf2eca826b8bcdb236fc1f2e79e0c6dd8e7e0f5c44a3b8e839a1065b2fbe2e',
 +
      'org.openhab.jmdns:jmdns:7a4b34b5606bbd2aff7fdfe629edcb0416fccd367fb59a099f210b9aba4f0bce',
 +
      'com.madgag.spongycastle:pkix:6aba9b2210907a3d46dd3dcac782bb3424185290468d102d5207ebdc9796a905',
 +
      'com.madgag.spongycastle:prov:029f26cd6b67c06ffa05702d426d472c141789001bcb15b7262ed86c868e5643',
 +
      'com.madgag.spongycastle:core:9b6b7ac856b91bcda2ede694eccd26cefb0bf0b09b89f13cda05b5da5ff68c6b',
 +
      'ch.acra:acra:d8ef3b76760e3faf7fe0ea0231fbe98e57f8f06ed3b86c877e6aa95bbc188aac',
 +
    ]
 +
  }
 +
 
 +
== Adding new dependencies ==
 +
 
 +
When adding a new dependency, its hash must be added to this list. To do this:
  
 
1) Remove shasum lines from build.gradle
 
1) Remove shasum lines from build.gradle

Latest revision as of 00:45, 5 February 2016

When adding new 3rd party dependencies to the fdroidclient project, the SHA256 sums of each dependency needs to be added to the build file. This ensures that people building fdroidclient will not have incorrect dependencies maliciously or mistakenly used to build the software.

The way this works is by using the "dependencyVerification" in the F-Droid/build.gradle file. At the time of writing it looks like this:

 dependencyVerification {
   verify = [
     'com.android.support:support-v4:c62f0d025dafa86f423f48df9185b0d89496adbc5f6a9be5a7c394d84cf91423',
     'com.android.support:appcompat-v7:4b5ccba8c4557ef04f99aa0a80f8aa7d50f05f926a709010a54afd5c878d3618',
     'com.android.support:support-annotations:104f353b53d5dd8d64b2f77eece4b37f6b961de9732eb6b706395e91033ec70a',
     'com.nostra13.universalimageloader:universal-image-loader:dbd5197ffec3a8317533190870a7c00ff3750dd6a31241448c6a5522d51b65b4',
     'com.google.zxing:core:b4d82452e7a6bf6ec2698904b332431717ed8f9a850224f295aec89de80f2259',
     'eu.chainfire:libsuperuser:952c5fc82f9c31d31d2b6a7054ee267dac1685fb037a254888c73c48de661eaf',
     'cc.mvdan.accesspoint:library:dc89a085d6bc40381078b8dd7776b12bde0dbaf8ffbcddb17ec4ebc3edecc7ba',
     'commons-net:commons-net:38cf2eca826b8bcdb236fc1f2e79e0c6dd8e7e0f5c44a3b8e839a1065b2fbe2e',
     'org.openhab.jmdns:jmdns:7a4b34b5606bbd2aff7fdfe629edcb0416fccd367fb59a099f210b9aba4f0bce',
     'com.madgag.spongycastle:pkix:6aba9b2210907a3d46dd3dcac782bb3424185290468d102d5207ebdc9796a905',
     'com.madgag.spongycastle:prov:029f26cd6b67c06ffa05702d426d472c141789001bcb15b7262ed86c868e5643',
     'com.madgag.spongycastle:core:9b6b7ac856b91bcda2ede694eccd26cefb0bf0b09b89f13cda05b5da5ff68c6b',
     'ch.acra:acra:d8ef3b76760e3faf7fe0ea0231fbe98e57f8f06ed3b86c877e6aa95bbc188aac',
   ]
 }

Adding new dependencies

When adding a new dependency, its hash must be added to this list. To do this:

1) Remove shasum lines from build.gradle

2) Update/add dependencies using the following commands:

 gradle assembleDebug
 gradle -q calculateChecksums

3) Undo shasum line removal and pick new hashes from the output above