Reducing Risk of Supply Chain Attacks with Reproducible Builds in Gradle

Featured image for sharing metadata for article

It's becoming more and more common for Free and Open Source dependencies to become poisoned by attackers.It's (fortunately) not solved by using only Proprietary software, as the SolarWinds breach last year taught us.

However, by using Free and Open Source tooling, we have the ability to independently verify that a built package is byte-for-byte the exact same between the maintainer's machine and your own.

As authors of libraries, we should be striving to provide this functionality for our consumers, by making sure our build and packaging processes apply practices shared by the Reproducible Builds community, and applying the Supply-chain Levels for software Artifacts best practices.

Gradle has supported this since version 3.4, and the documentation describes how to set it up, which I have echoed below, as well as adding a Kotlin example.


If you're using the Groovy buildscript, you'll need the following:

allprojects {
 tasks.withType(AbstractArchiveTask).configureEach {
    preserveFileTimestamps = false
    reproducibleFileOrder = true


Or if you're using a Kotlin buildscript, you can use the following:

allprojects {
  tasks.withType<AbstractArchiveTask>() {
    isPreserveFileTimestamps = false
    isReproducibleFileOrder = true

Written by Jamie Tanna's profile image Jamie Tanna on , and last updated on .

Content for this article is shared under the terms of the Creative Commons Attribution Non Commercial Share Alike 4.0 International, and code is shared under the Apache License 2.0.

#blogumentation #java #gradle #security.

This post was filed under articles.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.