verify

2025-01-15 22:33:40 +00:00
parent 313116ebcb
commit 481fdd60bf
3 changed files with 7084 additions and 0 deletions
--- a/DeveloperGuide.md
+++ b/DeveloperGuide.md
@@ -575,3 +575,42 @@ In your Thymeleaf templates, use the `#{key}` syntax to reference the new transl
 ```

 Remember, never hard-code text in your templates or Java code. Always use translation keys to ensure proper localization.
+
+
+## Managing Dependencies
+
+When adding new dependencies or updating existing ones in Stirling-PDF, follow these steps to ensure proper verification and security:
+
+1. Update the dependency in `build.gradle`:
+```groovy
+dependencies {
+    // Add or update your dependency
+    implementation "com.example:new-library:1.2.3"
+}
+```
+
+2. Generate new verification metadata and keys:
+```bash
+# Generate verification metadata with signatures and checksums
+./gradlew clean dependencies buildEnvironment --write-verification-metadata sha256,pgp
+
+# Export the .keys file 
+./gradlew --export-keys
+```
+
+3. Files to commit:
+   - `build.gradle` - Your dependency changes
+   - `gradle/verification-metadata.xml` - Contains verification rules and checksums
+   - `gradle/verification-keyring.keys` - Contains PGP keys in text format
+
+4. Verify the build works with the new verification:
+```bash
+./gradlew build
+```
+
+5. Before committing, check:
+   - Verify any new BOM files are properly handled in verification metadata
+   - Review the changes in `verification-metadata.xml` to ensure they match your dependency updates
+
+This ensures dependencies are properly verified and secure while maintaining transparency in the repository.
+