package,readme: support dependency verification though gradle nightlies

The only other options I could find to do this don't work on gradle 5+,
which is what travis ships with. It also has some open bugs about not
actually verifying transitive dependencies, so I would rather use a
nightly gradle than that.

README.md

@@ -110,4 +110,36 @@ To update a plugin, simply update the manifest with the most recent commit hash.
 We will review your plugin to ensure it isn't malicious or [breaking
 jagex's rules](https://secure.runescape.com/m=news/another-message-about-unofficial-clients?oldschool=1).
 __If it is difficult for us to ensure the plugin isn't against the rules we
-will not merge it__. 
+will not merge it__. 
+
+## Third party dependencies
+We require any dependencies that are not a transitive dependency of runelite-client to
+be have their cryptographic hash verified during the build to prevent [supply chain attacks]
+(https://en.wikipedia.org/wiki/Supply_chain_attack) and ensure build reproducability.
+To do this we rely on [Gradle's dependency verification](https://docs.gradle.org/nightly/userguide/dependency_verification.html),
+which is currently only available in nightly builds. To enable this you must first run:
+```
+./gradlew wrapper --gradle-version=6.2-20200117230024+0000
+```
+
+Then create `gradle/verification-metadata.xml` with the following contents
+
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<verification-metadata xmlns="https://schema.gradle.org/dependency-verification" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="https://schema.gradle.org/dependency-verification https://schema.gradle.org/dependency-verification/dependency-verification-1.0.xsd">
+  <configuration>
+    <verify-metadata>true</verify-metadata>
+    <verify-signatures>false</verify-signatures>
+    <trusted-artifacts>
+      <trust group="net.runelite"/>
+    </trusted-artifacts>
+  </configuration>
+</verification-metadata>
+```
+
+And finally run: 
+```
+./gradlew --write-verification-metadata sha256
+```
+Then commit the files to your repository. You will have to run this final command anytime you
+add/remove/update dependencies that are not part of RuneLite.

build_plugin.sh

@@ -53,6 +53,17 @@ done < "$PLUGINFILE"
 # we must have a full 40 char sha1sum
 [[ $commit =~ ^[a-fA-F0-9]{40}+$ ]]
 
+# we need gradle 6.2 for dependency verification
+GRADLE_VER=gradle-6.2-20200117230024+0000
+if [[ ! -e "/tmp/$GRADLE_VER/bin/gradle" ]]; then
+	wget -q -O/tmp/gradle.zip "https://services.gradle.org/distributions-snapshots/$GRADLE_VER-bin.zip"
+	echo 'b684259e5a0fcce1ed183929c6dcecab8a9613e7b73d7fbc664807b751822323 */tmp/gradle.zip' | shasum -a256 -c
+	unzip -q /tmp/gradle.zip -d /tmp/
+	[[ -e "/tmp/$GRADLE_VER/bin/gradle" ]]
+fi
+export GRADLE_HOME="/tmp/$GRADLE_VER/"
+export PATH="$GRADLE_HOME/bin:$PATH"
+
 BUILDDIR="$(mktemp -d /tmp/external-plugin.XXXXXXXX)"
 trap "rm -rf ""$BUILDDIR""" EXIT
 pushd "$BUILDDIR"

package.gradle

@@ -38,6 +38,11 @@ initscript {
 		classpath "com.google.code.gson:gson:2.8.5"
 		classpath "com.google.guava:guava:23.2-jre"
 	}
+	configurations.classpath.resolutionStrategy {
+		// We don't have a way to add our direct deps to the metadata file,
+		// so we disable it for the initscript's configuration
+		disableDependencyVerification()
+	}
 }
 
 allprojects {