javier/Stirling-PDF
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

verify dependencies (#2712)

Browse Source 
# Description

Please provide a summary of the changes, including relevant motivation
and context.

Closes #(issue_number)

## Checklist

- [ ] I have read the [Contribution
Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md)
- [ ] I have performed a self-review of my own code
- [ ] I have attached images of the change if it is UI based
- [ ] I have commented my code, particularly in hard-to-understand areas
- [ ] If my code has heavily changed functionality I have updated
relevant docs on [Stirling-PDFs doc
repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/)
- [ ] My changes generate no new warnings
- [ ] I have read the section [Add New Translation
Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/HowToAddNewLanguage.md#add-new-translation-tags)
(for new translation tags only)
This commit is contained in:
Anthony Stirling
2025-01-16 11:13:21 +00:00
committed by GitHub
parent 313116ebcb
commit fc40aaca63
3 changed files with 7084 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
DeveloperGuide.md
View File

@@ -575,3 +575,42 @@ In your Thymeleaf templates, use the `#{key}` syntax to reference the new transl
```
Remember, never hard-code text in your templates or Java code. Always use translation keys to ensure proper localization.
## Managing Dependencies
When adding new dependencies or updating existing ones in Stirling-PDF, follow these steps to ensure proper verification and security:
1. Update the dependency in `build.gradle`:
```groovy
dependencies {
// Add or update your dependency
implementation "com.example:new-library:1.2.3"
}
```
2. Generate new verification metadata and keys:
```bash
# Generate verification metadata with signatures and checksums
./gradlew clean dependencies buildEnvironment --write-verification-metadata sha256,pgp
# Export the .keys file
./gradlew --export-keys
```
3. Files to commit:
- `build.gradle` - Your dependency changes
- `gradle/verification-metadata.xml` - Contains verification rules and checksums
- `gradle/verification-keyring.keys` - Contains PGP keys in text format
4. Verify the build works with the new verification:
```bash
./gradlew build
```
5. Before committing, check:
- Verify any new BOM files are properly handled in verification metadata
- Review the changes in `verification-metadata.xml` to ensure they match your dependency updates
This ensures dependencies are properly verified and secure while maintaining transparency in the repository.