Adding Dependencies to fdroidcient

From F-Droid
Revision as of 00:45, 5 February 2016 by Pserwylo (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

When adding new 3rd party dependencies to the fdroidclient project, the SHA256 sums of each dependency needs to be added to the build file. This ensures that people building fdroidclient will not have incorrect dependencies maliciously or mistakenly used to build the software.

The way this works is by using the "dependencyVerification" in the F-Droid/build.gradle file. At the time of writing it looks like this:

 dependencyVerification {
   verify = [
     'com.android.support:support-v4:c62f0d025dafa86f423f48df9185b0d89496adbc5f6a9be5a7c394d84cf91423',
     'com.android.support:appcompat-v7:4b5ccba8c4557ef04f99aa0a80f8aa7d50f05f926a709010a54afd5c878d3618',
     'com.android.support:support-annotations:104f353b53d5dd8d64b2f77eece4b37f6b961de9732eb6b706395e91033ec70a',
     'com.nostra13.universalimageloader:universal-image-loader:dbd5197ffec3a8317533190870a7c00ff3750dd6a31241448c6a5522d51b65b4',
     'com.google.zxing:core:b4d82452e7a6bf6ec2698904b332431717ed8f9a850224f295aec89de80f2259',
     'eu.chainfire:libsuperuser:952c5fc82f9c31d31d2b6a7054ee267dac1685fb037a254888c73c48de661eaf',
     'cc.mvdan.accesspoint:library:dc89a085d6bc40381078b8dd7776b12bde0dbaf8ffbcddb17ec4ebc3edecc7ba',
     'commons-net:commons-net:38cf2eca826b8bcdb236fc1f2e79e0c6dd8e7e0f5c44a3b8e839a1065b2fbe2e',
     'org.openhab.jmdns:jmdns:7a4b34b5606bbd2aff7fdfe629edcb0416fccd367fb59a099f210b9aba4f0bce',
     'com.madgag.spongycastle:pkix:6aba9b2210907a3d46dd3dcac782bb3424185290468d102d5207ebdc9796a905',
     'com.madgag.spongycastle:prov:029f26cd6b67c06ffa05702d426d472c141789001bcb15b7262ed86c868e5643',
     'com.madgag.spongycastle:core:9b6b7ac856b91bcda2ede694eccd26cefb0bf0b09b89f13cda05b5da5ff68c6b',
     'ch.acra:acra:d8ef3b76760e3faf7fe0ea0231fbe98e57f8f06ed3b86c877e6aa95bbc188aac',
   ]
 }

Adding new dependencies

When adding a new dependency, its hash must be added to this list. To do this:

1) Remove shasum lines from build.gradle

2) Update/add dependencies using the following commands:

 gradle assembleDebug
 gradle -q calculateChecksums

3) Undo shasum line removal and pick new hashes from the output above