open-keychain

On execution of ./gradlew build, the gradle wrapper downloads the actually required gradle version. This download is protected by SHA-256 verification integrated by us into Gradle Wrapper (see gradle/wrapper/gradle-wrapper.properties).
All dependencies are either included as git submodules or downloaded from JCenter. JCenter dependencies are verified using SHA-256 by Gradle Witness (see OpenKeychain/build.gradle).

TODO?: buildscript dependency verification?