When we apply sigstore-gradle-sign-plugin in build logic the sigstoreClientClasspath always wants to use the project dependency instead of the expected sigstore-java dependency of the plugin.
$ ./gradlew sigstore-java:dependencies --configuration sigstoreClientClasspath
> Task :sigstore-java:dependencies
------------------------------------------------------------
Project ':sigstore-java' - A Java client for signing and verifying using Sigstore
------------------------------------------------------------
sigstoreClientClasspath - Resolves Sigstore dependencies
+--- dev.sigstore:sigstore-java:0.7.0 -> project :sigstore-java (*)
see +--- dev.sigstore:sigstore-java:0.7.0 -> project :sigstore-java (*)
This can cause incompatibilities. Especially since the sigstore-gradle-sign-plugin version is 0.7.0.
This wouldn't be an issue once we're 1.0 and api stable. But it is a bit strange.
When we apply sigstore-gradle-sign-plugin in build logic the
sigstoreClientClasspath
always wants to use the project dependency instead of the expected sigstore-java dependency of the plugin.see
+--- dev.sigstore:sigstore-java:0.7.0 -> project :sigstore-java (*)
This can cause incompatibilities. Especially since the sigstore-gradle-sign-plugin version is 0.7.0.
This wouldn't be an issue once we're 1.0 and api stable. But it is a bit strange.