Update gradle-witness.jar

[devinbileck]

I have built a new gradle-witness.jar from our new official bisq fork at https://github.com/bisq-network/gradle-witness which includes fixes for the following:

• Prevent printing "Verifying ..." messages to the console.
• Replace deprecated Task.leftShift(Closure) method with Task.doLast(Action).

Resolves: #1897

[ripcurlx]

ACK - works for me locally. But I leave it for @cbeams to merge as he knows more about possible additional implications.

[ManfredKarrer]

I leave it to @cbeams as well.... not my expertise...

[cbeams]

Thanks, @devinbileck. To be cautious, we should think about how we know that updates to this jar are legit. For example, I just built the jar against the same commit using Gradle 4.10.2 / OpenJDK 10.0.2 and got the following result:

$ sum build/libs/gradle-witness.jar
54082 18 build/libs/gradle-witness.jar

Whereas when I sync up to your PR branch and run the same checksum, I get a different value:

$ sum gradle/witness/gradle-witness.jar
57838 18 gradle/witness/gradle-witness.jar

So, while I trust you simply built the jar as you claim, there's no way of knowing right now that it's actually a representation of the sources at that commit. i.e. it could contain a trojan horse.

Ideally, we should set up Travis CI in our new gradle-witness fork and print out a checksum at the end of the build, so that we have something objective to check against when the jar it produces is checked in here. That assumes that building this jar is deterministic under the same Gradle / JDK, and I think it should be. I unzipped the jar and checked for properties files with dates in them, etc, and I didn't see anything. So it should be possible to get the exact same checksum on different machines and operating systems.

In the meantime, let's just see if we can align on the same checksum between our two versions of the jar. Did you build with Gradle 4.10.2 / OpenJDK 10.0.2 as well? I'm committing a Gradle wrapper pinned to 4.10.2 to make it a little easier.

[devinbileck]

Excellent points. I thought I had used Gradle 4.10.2 / OpenJDK 10.0.2, but now am second guessing. I will verify.

[devinbileck]

I confirmed I am using Gradle 4.10.2 / OpenJDK 10.0.2. I pulled from master with your latest commit and ran through the process again and got the same checksum that I got before.

Devin@Devin-Laptop MINGW64 ~/Documents/GitHub/bisq-network/gradle-witness (master)
$ git log -1
commit ecf0ffe77c270dc192a137ad373d2cfa8c7c5c38 (HEAD -> master, origin/master, origin/HEAD)
Author: Chris Beams <[email protected]>
Date:   Fri Nov 9 21:59:41 2018 +0100

    Add Gradle wrapper at v4.10.2

    See https://github.com/bisq-network/bisq/pull/1901#issuecomment-437493277

Devin@Devin-Laptop MINGW64 ~/Documents/GitHub/bisq-network/gradle-witness (master)
$ java -version
openjdk version "10.0.2" 2018-07-17
OpenJDK Runtime Environment 18.3 (build 10.0.2+13)
OpenJDK 64-Bit Server VM 18.3 (build 10.0.2+13, mixed mode)

Devin@Devin-Laptop MINGW64 ~/Documents/GitHub/bisq-network/gradle-witness (master)
$ ./gradlew build
> Task :compileJava NO-SOURCE
> Task :compileGroovy UP-TO-DATE
> Task :processResources UP-TO-DATE
> Task :classes UP-TO-DATE
> Task :jar UP-TO-DATE
> Task :assemble UP-TO-DATE
> Task :compileTestJava NO-SOURCE
> Task :compileTestGroovy NO-SOURCE
> Task :processTestResources NO-SOURCE
> Task :testClasses UP-TO-DATE
> Task :test NO-SOURCE
> Task :check UP-TO-DATE
> Task :build UP-TO-DATE

BUILD SUCCESSFUL in 1s
3 actionable tasks: 3 up-to-date

Devin@Devin-Laptop MINGW64 ~/Documents/GitHub/bisq-network/gradle-witness (master)
$ sum build/libs/gradle-witness.jar
57838    18

However, I then did a clean build and got a completely different checksum:

Devin@Devin-Laptop MINGW64 ~/Documents/GitHub/bisq-network/gradle-witness (master)
$ ./gradlew clean build
> Task :clean
> Task :compileJava NO-SOURCE

> Task :compileGroovy
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (file:/C:/Users/Devin/.gradle/wrapper/dists/gradle-4.10.2-bin/cghg6c4gf4vkiutgsab8yrnwv/gradle-4.10.2/lib/groovy-all-2.4.15.jar) to method java.lang.Object.finalize()
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

> Task :processResources
> Task :classes
> Task :jar
> Task :assemble
> Task :compileTestJava NO-SOURCE
> Task :compileTestGroovy NO-SOURCE
> Task :processTestResources NO-SOURCE
> Task :testClasses UP-TO-DATE
> Task :test NO-SOURCE
> Task :check UP-TO-DATE
> Task :build

BUILD SUCCESSFUL in 5s
4 actionable tasks: 4 executed

Devin@Devin-Laptop MINGW64 ~/Documents/GitHub/bisq-network/gradle-witness (master)
$ sum build/libs/gradle-witness.jar
27807    18

Another clean build and yet another checksum:

Devin@Devin-Laptop MINGW64 ~/Documents/GitHub/bisq-network/gradle-witness (master)
$ ./gradlew clean build
> Task :clean
> Task :compileJava NO-SOURCE

> Task :compileGroovy
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.codehaus.groovy.reflection.CachedClass (file:/C:/Users/Devin/.gradle/wrapper/dists/gradle-4.10.2-bin/cghg6c4gf4vkiutgsab8yrnwv/gradle-4.10.2/lib/groovy-all-2.4.15.jar) to method java.lang.Object.finalize()
WARNING: Please consider reporting this to the maintainers of org.codehaus.groovy.reflection.CachedClass
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release

> Task :processResources
> Task :classes
> Task :jar
> Task :assemble
> Task :compileTestJava NO-SOURCE
> Task :compileTestGroovy NO-SOURCE
> Task :processTestResources NO-SOURCE
> Task :testClasses UP-TO-DATE
> Task :test NO-SOURCE
> Task :check UP-TO-DATE
> Task :build

BUILD SUCCESSFUL in 4s
4 actionable tasks: 4 executed

Devin@Devin-Laptop MINGW64 ~/Documents/GitHub/bisq-network/gradle-witness (master)
$ sum build/libs/gradle-witness.jar
21198    18

So perhaps a checksum is not reliable and perhaps an md5sum would be better?
Edit: Just realized md5sum encounters the same behaviour.

Devin@Devin-Laptop MINGW64 ~/Documents/GitHub/bisq-network/gradle-witness (master)
$ md5sum.exe build/libs/gradle-witness.jar
b1c06f0c1b74f9955a1cd2ed623c617e *build/libs/gradle-witness.jar

[devinbileck]

Aha! This article describes the issue and provides a simple solution and I verified it works.

[cbeams]

Right. We actually have this same configuration in Bisq's own build.gradle: https://github.com/bisq-network/bisq/blob/master/build.gradle#L206-L209.

Are you putting together a PR for that in the gradle-witness repo, then?

[devinbileck]

Yes, i will put together a PR.

[ghost]

from my side

$ git log -1
commit ecf0ffe77c270dc192a137ad373d2cfa8c7c5c38
Author: Chris Beams 
Date:   Fri Nov 9 21:59:41 2018 +0100

    Add Gradle wrapper at v4.10.2
    
    See https://github.com/bisq-network/bisq/pull/1901#issuecomment-437493277
userz@DO790C:~/github/gradle-witness$ java -version
openjdk version "10.0.2" 2018-07-17
OpenJDK Runtime Environment 18.3 (build 10.0.2+13)
OpenJDK 64-Bit Server VM 18.3 (build 10.0.2+13, mixed mode)
userz@DO790C:~/github/gradle-witness$ ./gradlew build

BUILD SUCCESSFUL in 0s
3 actionable tasks: 3 up-to-date
userz@DO790C:~/github/gradle-witness$ sum build/libs/gradle-witness.jar 
56120    18

[cbeams]

NACK, per comments at bisq-network/gradle-witness#1 (review)

[cbeams]

ACK

[cbeams]

Note that I squashed and force-pushed out the earlier commits updating gradle-witness.jar. All that remains is the one correct commit now.