I am trying to publish a jar to Maven Central. I am following instructions in Sonatype
So... I am trying to test that code-signing works. I am using Gradle. This is my Gradle file:
task javadocJar(type: Jar) {
classifier = 'javadoc'
from javadoc
}
task sourcesJar(type: Jar) {
classifier = 'sources'
from sourceSets.main.allSource
}
signing {
sign configurations.archives
}
plugins.withId("com.github.johnrengelman.shadow"){
//this block requires the java plugin to be applied first.
plugins.withId("java"){
shadowJar {
//We are overriding the default jar to be the shadow jar
classifier = null
exclude 'META-INF'
exclude 'META-INF/*.INF'
exclude 'META-INF/license/*'
}
jar {
manifest {
attributes(
'Built-By' : System.properties['user.name'],
'Build-Timestamp': new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ").format(new Date()),
'Created-By' : "Gradle ${gradle.gradleVersion}",
'Build-Jdk' : "${System.properties['java.version']} (${System.properties['java.vendor']} ${System.properties['java.vm.version']})",
'Build-OS' : "${System.properties['os.name']} ${System.properties['os.arch']} ${System.properties['os.version']}"
)
}
}
tasks.build.dependsOn tasks.shadowJar
tasks.shadowJar.mustRunAfter tasks.jar
tasks.shadowJar.mustRunAfter tasks.javadocJar
tasks.shadowJar.mustRunAfter tasks.sourcesJar
}
}
artifacts {
archives javadocJar, sourcesJar
}
When I run gradle clean build
I am getting some artifacts in my build/libs
directory. I am using gpg
to verify them.
I find that the signatures for the javadoc
and sources
jar are fine, but the jar
signature fails validation.
$ gpg --verify build/libs/mask-json-field-transform-0.1-javadoc.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1-javadoc.jar'
gpg: Signature made Fri Jan 6 17:17:16 2023 PST
gpg: using EDDSA key Fxxxx9
gpg: Good signature from "Feroze Daud <[email protected]>" [ultimate]
$ gpg --verify build/libs/mask-json-field-transform-0.1-sources.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1-sources.jar'
gpg: Signature made Fri Jan 6 17:17:16 2023 PST
gpg: using EDDSA key Fxxxx9
gpg: Good signature from "Feroze Daud <[email protected]>" [ultimate]
$ gpg --verify build/libs/mask-json-field-transform-0.1.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1.jar'
gpg: Signature made Fri Jan 6 17:17:16 2023 PST
gpg: using EDDSA key Fxxxx9
gpg: BAD signature from "Feroze Daud <[email protected]>" [ultimate]
Any idea what I am doing wrong?
CodePudding user response:
If I enable reproducible builds, this problem goes away.