Different artifacts published at plugins.gradle.org and repo1.maven.org

[vdshb]

Describe the bug It looks like publication bug.

Checksums are different for: https://plugins.gradle.org/m2/org/jetbrains/compose/compose-gradle-plugin/1.5.3/compose-gradle-plugin-1.5.3.jar https://repo1.maven.org/maven2/org/jetbrains/compose/compose-gradle-plugin/1.5.3/compose-gradle-plugin-1.5.3.jar

As a result gradle (with verify-signatures on and gradlePluginPortal(); mavenCentral() repos) downloads artefact (.jar) from https://plugins.gradle.org, downloads signature (.asc) from https://repo1.maven.org (because plugins.gradle.org doesn't have a signature) and finish any task with error "signature didn't match".

Affected platforms

• All

To Reproduce

wget -O plugin1.jar https://plugins.gradle.org/m2/org/jetbrains/compose/compose-gradle-plugin/1.5.3/compose-gradle-plugin-1.5.3.jar
wget -O plugin2.jar https://repo1.maven.org/maven2/org/jetbrains/compose/compose-gradle-plugin/1.5.3/compose-gradle-plugin-1.5.3.jar
sha1sum plugin1.jar
sha1sum plugin2.jar

Checksums are different:

8c28dfb0ea1f7d6c8d47525984c6d2afde5bb1aa  plugin1.jar
30a8180a62a3f6761981e55cbd6feb113fe76d49  plugin2.jar

Expected Checksums of the same artifact in different repositories supposed to be the same.

Additional context Similar behaviour for 1.4.3. Similar behaviour might be not only for jar files, but also for .pom, .module, etc. files (haven't checked)

[dima-avdeev-jb]

Thanks for this Issue! I will ask our team about this difference.

[okushnikov]

Please check the following ticket on YouTrack for follow-ups to this issue. GitHub issues will be closed in the coming weeks.