带有gpg的Gradle签名给出了错误的jar签名

flvlnr44  于 2023-01-13  发布在  其他
关注(0)|答案(1)|浏览(149)

我正在尝试将一个jar发布到Maven Central。我正在按照Sonatype中的说明操作
我正在尝试测试代码签名是否有效。我正在使用Gradle。这是我的Gradle文件:

task javadocJar(type: Jar) {
    classifier = 'javadoc'
    from javadoc
}

task sourcesJar(type: Jar) {
    classifier = 'sources'
    from sourceSets.main.allSource
}

signing {
    sign configurations.archives
}

plugins.withId("com.github.johnrengelman.shadow"){

    //this block requires the java plugin to be applied first.
    plugins.withId("java"){

        shadowJar {
            //We are overriding the default jar to be the shadow jar
            classifier = null
            exclude 'META-INF'
            exclude 'META-INF/*.INF'
            exclude 'META-INF/license/*'
        }

        jar {
            manifest {
                attributes(
                        'Built-By'       : System.properties['user.name'],
                        'Build-Timestamp': new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ").format(new Date()),
                        'Created-By'     : "Gradle ${gradle.gradleVersion}",
                        'Build-Jdk'      : "${System.properties['java.version']} (${System.properties['java.vendor']} ${System.properties['java.vm.version']})",
                        'Build-OS'       : "${System.properties['os.name']} ${System.properties['os.arch']} ${System.properties['os.version']}"
                )
            }
        }

        tasks.build.dependsOn tasks.shadowJar
        tasks.shadowJar.mustRunAfter tasks.jar
        tasks.shadowJar.mustRunAfter tasks.javadocJar
        tasks.shadowJar.mustRunAfter tasks.sourcesJar
    }
}

artifacts {
    archives javadocJar, sourcesJar
}

当我运行gradle clean build时,我在build/libs目录中得到了一些工件,我使用gpg来验证它们。
我发现javadocsources jar的签名是正确的,但是jar签名没有通过验证。

$ gpg --verify build/libs/mask-json-field-transform-0.1-javadoc.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1-javadoc.jar'
gpg: Signature made Fri Jan  6 17:17:16 2023 PST
gpg:                using EDDSA key Fxxxx9
gpg: Good signature from "Feroze Daud <xxx@yyy.com>" [ultimate]

$ gpg --verify build/libs/mask-json-field-transform-0.1-sources.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1-sources.jar'
gpg: Signature made Fri Jan  6 17:17:16 2023 PST
gpg:                using EDDSA key Fxxxx9
gpg: Good signature from "Feroze Daud <xxx@yyy.com>" [ultimate]

$ gpg --verify build/libs/mask-json-field-transform-0.1.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1.jar'
gpg: Signature made Fri Jan  6 17:17:16 2023 PST
gpg:                using EDDSA key Fxxxx9
gpg: BAD signature from "Feroze Daud <xxx@yyy.com>" [ultimate]

你知道我做错了什么吗?

5rgfhyps

5rgfhyps1#

如果我启用了可重现的构建,这个问题就会消失。

相关问题