Gradle plugin jar in plugins.gradle.org file differs from maven central artifact #462
Comments
|
Hi @gschueler, no this is certainly not expected! |
|
@gschueler can you check now, 1.13.9? I think I found the issue and fixed it ;) |
|
@bgalek thanks, the .jar file signature now works! The .pom file still appears different between plugins.gradle.org and maven central, however it seems like that is also the case for other gradle plugins as well. |
|
That's good news! Thx for your support! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I'm unsure if this is an issue with gradle plugin repository, or perhaps the axion-release-plugin release artifact itself.
I'm using Gradle Dependency Verification in my project, which verifies SHAs as well as PGP signatures of dependencies, including gradle plugins.
The axion-release gradle plugin fails the signature verification when checked by Gradle, which results in requiring using the SHA checksum in the verification metadata file. The plugins.gradle.org repo doesn't seem to host any .asc signatures, only the jar and pom artifacts, and so for other Gradle plugins it seems you must still use SHA due to missing signature.
However, for axion-release-plugin, the .jar artifact is actually different (SHA checksum differs) from the maven central artifact, so it seems to cause the signature check to report "Bad signature".
Is this expected?
more detail:
I verified that the maven central .jar and .asc signature is valid. (from here). "gpg: Good signature from "Allegro Group (Allegro Group Maven Key) [email protected]" [unknown]".
However, the .jar artifact from plugins.gradle.org, while having the exact same file size, must have some binary difference from the maven central artifact. The same .asc signature file fails to verify. "gpg: BAD signature from "Allegro Group (Allegro Group Maven Key) [email protected]" [unknown]". SHAs differ between the two files.
The text was updated successfully, but these errors were encountered: