Checksum mismatch while updating expected actual
Any subsequent build invocation is going to reuse the existing local distribution as long as the distribution URL in the Gradle properties doesn’t change.
The Wrapper shell script and batch file reside in the root directory of a single or multi-project Gradle build.
In order to allow checking the integrity of the Wrapper JAR, Gradle publishes the checksums of all releases (except for version 3.3 to 4.0.2, which did not generate reproducible JARs) alongside the corresponding Gradle distribution on https://services.gradle.org/.
You can manually verify the checksum of the Wrapper JAR to ensure that it has not been tampered with by running the following commands on one of the major operating systems: task wasn’t executed with the upgraded Gradle distribution.
In this case, it’s safe to run the If the checksum is not listed on the page, the Wrapper JAR might be from a milestone, release candidate, or nightly build — or it might indeed not be legitimate.
You should try to find out how it was generated but treat it as untrustworthy until proven otherwise.
This increases security against targeted attacks by preventing a man-in-the-middle attacker from tampering with the downloaded Gradle distribution.
Gradle will report a build failure in case the configured checksum does not match the checksum found on the server for hosting the distribution.
task ensures that any optimizations made to the Wrapper shell script or batch file with that specific Gradle version are applied to the project.Checksum Verification is only performed if the configured Wrapper distribution hasn’t been downloaded yet.The Wrapper JAR is a binary file that will be executed on the computers of developers and build servers.As usual you’d commit the changes to the Wrapper files to version control.Most users of Gradle are happy with the default runtime behavior of the Wrapper.
This enables you to host the Gradle distribution on a private protected server.