gradle now offers complete verification of all the artifacts it downloads and uses, as of v6.2. gradle-witness and others were always limited to a small subset. It is time to switch to the built-in verification:
https://docs.gradle.org/current/userguide/dependency_verification.html
I think it makes sense for fdroid scanner
to flag the gradle-witness.jar as an error. For builds using gradle older than v6.2, @vlsi’s checksum-dependency-plugin plugin has much better coverage than gradle-witness: