[SOLVED] Gradle sign with gpg is giving a bad jar signature

Gradle sign with gpg is giving a bad jar signature

I am trying to publish a jar to Maven Central. I am following instructions in Sonatype

So... I am trying to test that code-signing works. I am using Gradle. This is my Gradle file:

task javadocJar(type: Jar) {
    classifier = 'javadoc'
    from javadoc
}

task sourcesJar(type: Jar) {
    classifier = 'sources'
    from sourceSets.main.allSource
}


signing {
    sign configurations.archives
}

plugins.withId("com.github.johnrengelman.shadow"){

    //this block requires the java plugin to be applied first.
    plugins.withId("java"){

        shadowJar {
            //We are overriding the default jar to be the shadow jar
            classifier = null
            exclude 'META-INF'
            exclude 'META-INF/*.INF'
            exclude 'META-INF/license/*'
        }

        jar {
            manifest {
                attributes(
                        'Built-By'       : System.properties['user.name'],
                        'Build-Timestamp': new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ").format(new Date()),
                        'Created-By'     : "Gradle ${gradle.gradleVersion}",
                        'Build-Jdk'      : "${System.properties['java.version']} (${System.properties['java.vendor']} ${System.properties['java.vm.version']})",
                        'Build-OS'       : "${System.properties['os.name']} ${System.properties['os.arch']} ${System.properties['os.version']}"
                )
            }
        }

        tasks.build.dependsOn tasks.shadowJar
        tasks.shadowJar.mustRunAfter tasks.jar
        tasks.shadowJar.mustRunAfter tasks.javadocJar
        tasks.shadowJar.mustRunAfter tasks.sourcesJar
    }
}

artifacts {
    archives javadocJar, sourcesJar
}

When I run gradle clean build I am getting some artifacts in my build/libs directory. I am using gpg to verify them.

I find that the signatures for the javadoc and sources jar are fine, but the jar signature fails validation.

$ gpg --verify build/libs/mask-json-field-transform-0.1-javadoc.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1-javadoc.jar'
gpg: Signature made Fri Jan  6 17:17:16 2023 PST
gpg:                using EDDSA key Fxxxx9
gpg: Good signature from "Feroze Daud <xxx@yyy.com>" [ultimate]

$ gpg --verify build/libs/mask-json-field-transform-0.1-sources.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1-sources.jar'
gpg: Signature made Fri Jan  6 17:17:16 2023 PST
gpg:                using EDDSA key Fxxxx9
gpg: Good signature from "Feroze Daud <xxx@yyy.com>" [ultimate]

$ gpg --verify build/libs/mask-json-field-transform-0.1.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1.jar'
gpg: Signature made Fri Jan  6 17:17:16 2023 PST
gpg:                using EDDSA key Fxxxx9
gpg: BAD signature from "Feroze Daud <xxx@yyy.com>" [ultimate]

Any idea what I am doing wrong?

Solution

If I enable reproducible builds, this problem goes away.