roughly Making use of distributionSha256Sum to Gradle and Android Studio

will cowl the newest and most present steering vis–vis the world. entrance slowly suitably you perceive skillfully and appropriately. will progress your information easily and reliably

Making use of distributionSha256Sum to Gradle and Android Studio

since i wrote about a supply chain attack Gradle Wrapper
Just a few days in the past I made a decision to verify Android Studio assist once more for
distributionSha256Sum. And the excellent news is that with Android Studio Electrical Eel, it appears to work effective… if you understand the restrictions.

primary configuration

In your gradle/wrapper/ file, there’s a
distributionUrl property that signifies which construct of Gradle must be downloaded and used to construct your mission:


you may add distributionSha256Sum to gradle/wrapper/ additionally. Will get the worth to your goal Gradle model of the gradle website. So, for instance, for the Gradle 7.5 binary-only ZIP, you will discover that the checksum is cb87f222c5585bd46838ad4db78463a5c5f3d336e5e2b98dc7c0c586527351c2. So the pairing
distributionSha256Sum line for the above distributionUrl line is:


This helps stop a Mars within the Center (MITM) assault that replaces the Gradle ZIP file with one which has been modified. If Android Studio or the Gradle Wrapper JAR file tries to obtain the ZIP from distributionUrland the ensuing ZIP file doesn’t have a SHA-256 checksum match distributionSha256Sum, Android Studio and Gradle will refuse to make use of it. Android Studio Electrical Eel provides you with output much like this within the Construct instrument:

Verification of Gradle distribution failed!

Your Gradle distribution could have been tampered with.
Affirm that the 'distributionSha256Sum' property in your file is right and you might be downloading the wrapper from a trusted supply.

 Distribution Url:
Obtain Location: /house/mmurphy/.gradle/wrapper/dists/gradle-7.5-bin/f1w0cc9nuo0eivz97x2xlu9sv/
Anticipated checksum: '6b47b85e791fa422b9b78bdfab7672dd934ff973d6e781ba98d972e844d91754'
  Precise checksum: 'cb87f222c5585bd46838ad4db78463a5c5f3d336e5e2b98dc7c0c586527351c2'

That very same message, minus the primary line, can even be generated by the Gradle Wrapper JAR.


The massive wrinkle with distributionSha256Sum is that it’s checked when downloading the Gradle model specified within the distributionUrl. In case you’ve already efficiently downloaded that model of Gradle earlier than, similar to by means of a mission that lacks distributionSha256Sum — no additional checks are carried out. So it is rather straightforward to suppose that distributionSha256Sum does not work, since you add it to a mission, enter an invalid checksum worth to check… and the mission nonetheless compiles. It’s essential to first delete the already downloaded Gradle distribution, forcing a brand new obtain. These are saved in ~/.gradle/wrapper/dists
on Linux and macOS (and presumably in an equal location on Home windows). This can be much less of a problem for CI methods that use new containers with every construct.


  • Android Studio templates aren’t provided distributionSha256Sum, which implies you are screwed from the get-go. When you have a brand new model of Android Studio, create a brand new mission that makes use of a brand new model of Gradle, as there isn’t a
    distributionSha256Sum within the generated file, there isn’t a checksum verify. And even when you add
    distributionSha256Sum your self manually later, you additionally you must manually clear the already downloaded Gradle to power a checksum verify. Because the SHA-256 hash is a recognized worth to the related distributionUrlit will be very helpful if the Android Studio templates included it.

  • When you have Android Studio, replace your file to level to a brand new Gradle model, it does not add distributionSha256Sum when you do not have already got it. Equally, you probably have distributionSha256Sum in it file already, when Android Studio adjustments
    distributionUrlit does
    No change companion distributionSha256Sum. You’ll get the error proven above and you have to to vary distributionSha256Sum by hand.

These limitations will make it troublesome to undertake distributionSha256Sum. It nonetheless appears like a helpful protection although, for these keen to get round these limitations.

— January 28, 2023