This can indicate that a dependency has been compromised. Please carefully verify the checksums.""" : """Dependency verification failed for configuration ':compileClasspath':
  - On artifact foo-1.0.jar (org:foo:1.0) in repository 'maven': expected a 'sha1' checksum of '${fooChecksum}' but was '93d6c93d9a76d27ec3462e7b57de5df1eb45bc7b'

This can indicate that a dependency has been compromised. Please carefully verify the checksums."""

        if (highLevelErrors.isMaybeCompromised()) {
            StringBuilder sb = new StringBuilder();
            sb.append("This can indicate that a dependency has been compromised. Please carefully verify the ");
            if (highLevelErrors.hasFailedSignatures()) {
                sb.append("signatures and ");
            }
            sb.append("checksums.");

This can indicate that a dependency has been compromised. Please carefully verify the checksums."""

            whenVerbose """Dependency verification failed for configuration ':compileClasspath':
  - On artifact foo-1.0.jar (org:foo:1.0) in repository 'maven': expected a 'sha256' checksum of 'invalid' but was '${getChecksum(foo, "sha256")}'

This can indicate that a dependency has been compromised. Please carefully verify the checksums."""
        }

** you can use <<#sec:trusting-several-checksums,`also-trust`>> to accept the additional checksums
* the dependency was compromised
** immediately inform the maintainers of the library
** notify the repository maintainers of the compromised library

    /*
     * Integration test to verify the integrity of the dependencies. The goal is to be able to check the dependencies
     * even we assume that the Gradle binaries are compromised. Ultimately this test should run outside of the Gradle.
     */

    @Override
    String getDistributionLabel() {
        'bin'
    }

    @Override
    int getMaxDistributionSizeBytes() {

      HeldCertificate.Builder()
        .serialNumber(3L)
        .certificateAuthority(0)
        .commonName("compromised intermediate")
        .signedBy(pinnedRoot)
        .build()
    val attackerIntermediate =
      HeldCertificate.Builder()
        .keyPair(attackerCa.keyPair) // Share keys between compromised CA and intermediate!
        .serialNumber(4L)

 * from one repository to the other (either by end of lines, additional line
 * at the end of the file, ...). Because they are different doesn't mean that
 * they are compromised, so this is a facility for the user to declare "I know
 * I should use a single source of truth but the infrastructure is hard or
 * impossible to fix so let's trust this source".
 *

            "        <p>This indicates that a dependency was <i>signed</i> but that the signature verification <b>failed</b>.</p>",
            "        <p>This happens when a dependency was compromised or that the signature was made for a different artifact than the one you got.</p>",
            "        <p>It's important that you <b>carefully review this problem</b>.</p>");

#### Key rotation

       "If('%WRAPPER_SHA_256_SUM%' -ne $hash){"^
       "  Write-Output 'Error: Failed to validate Maven wrapper SHA-256, your Maven wrapper might be compromised.';"^
       "  Write-Output 'Investigate or delete %WRAPPER_JAR% to attempt a clean download.';"^
       "  Write-Output 'If you updated your Maven version, you need to update the specified wrapperSha256Sum property.';"^