From aab511f11b7011af2a877af82701ebf6c5b7d077 Mon Sep 17 00:00:00 2001 From: Moxie Marlinspike Date: Thu, 5 Jun 2014 10:23:42 -0700 Subject: [PATCH] Updated readme --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index f24711d..3fd8267 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ A gradle plugin that enables static verification for remote dependencies. -Build systems like gradle and maven allow one to specify dependencies on versioned artifacts. An +Build systems like gradle and maven allow one to specify dependencies for versioned artifacts. An Android project might list dependencies like this: dependency { @@ -71,7 +71,7 @@ is later compromised, an attacker won't be able to undetectably modify these art ## Using Witness Unfortunately, it doesn't make sense to publish `gradle-witness` as an artifact, since that -creates a bootstrapping problem. To use, `gradle-witness`, the jar needs to be built and included +creates a bootstrapping problem. To use `gradle-witness`, the jar needs to be built and included in your project: $ git clone https://github.com/WhisperSystems/gradle-witness.git @@ -92,6 +92,8 @@ It might look something like: } } + apply plugin: 'witness' + At this point you can use `gradle-witness` in your project. If you're feeling "trusting on first use," you can have `gradle-witness` calculate the sha256sum for all your project's dependencies (and transitive dependencies!) for you: @@ -122,4 +124,4 @@ Running `gradle -q calculateChecksums` will print: ...which you can then include directly below the `dependency` definition in the project's `build.gradle`. And that's it! From then on, running a standard `gradle build` will verify the integrity of -the project's dependencies. \ No newline at end of file +the project's dependencies.