我正在尝试将一个jar发布到Maven Central。我正在按照Sonatype中的说明操作
我正在尝试测试代码签名是否有效。我正在使用Gradle。这是我的Gradle文件:
task javadocJar(type: Jar) {
classifier = 'javadoc'
from javadoc
}
task sourcesJar(type: Jar) {
classifier = 'sources'
from sourceSets.main.allSource
}
signing {
sign configurations.archives
}
plugins.withId("com.github.johnrengelman.shadow"){
//this block requires the java plugin to be applied first.
plugins.withId("java"){
shadowJar {
//We are overriding the default jar to be the shadow jar
classifier = null
exclude 'META-INF'
exclude 'META-INF/*.INF'
exclude 'META-INF/license/*'
}
jar {
manifest {
attributes(
'Built-By' : System.properties['user.name'],
'Build-Timestamp': new java.text.SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ").format(new Date()),
'Created-By' : "Gradle ${gradle.gradleVersion}",
'Build-Jdk' : "${System.properties['java.version']} (${System.properties['java.vendor']} ${System.properties['java.vm.version']})",
'Build-OS' : "${System.properties['os.name']} ${System.properties['os.arch']} ${System.properties['os.version']}"
)
}
}
tasks.build.dependsOn tasks.shadowJar
tasks.shadowJar.mustRunAfter tasks.jar
tasks.shadowJar.mustRunAfter tasks.javadocJar
tasks.shadowJar.mustRunAfter tasks.sourcesJar
}
}
artifacts {
archives javadocJar, sourcesJar
}
当我运行gradle clean build
时,我在build/libs
目录中得到了一些工件,我使用gpg
来验证它们。
我发现javadoc
和sources
jar的签名是正确的,但是jar
签名没有通过验证。
$ gpg --verify build/libs/mask-json-field-transform-0.1-javadoc.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1-javadoc.jar'
gpg: Signature made Fri Jan 6 17:17:16 2023 PST
gpg: using EDDSA key Fxxxx9
gpg: Good signature from "Feroze Daud <xxx@yyy.com>" [ultimate]
$ gpg --verify build/libs/mask-json-field-transform-0.1-sources.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1-sources.jar'
gpg: Signature made Fri Jan 6 17:17:16 2023 PST
gpg: using EDDSA key Fxxxx9
gpg: Good signature from "Feroze Daud <xxx@yyy.com>" [ultimate]
$ gpg --verify build/libs/mask-json-field-transform-0.1.jar.asc
gpg: assuming signed data in 'build/libs/mask-json-field-transform-0.1.jar'
gpg: Signature made Fri Jan 6 17:17:16 2023 PST
gpg: using EDDSA key Fxxxx9
gpg: BAD signature from "Feroze Daud <xxx@yyy.com>" [ultimate]
你知道我做错了什么吗?
1条答案
按热度按时间5rgfhyps1#
如果我启用了可重现的构建,这个问题就会消失。