PGP Verification Failed

[NickPadilla]

Hello,

I am using Gradle 7.4 and dependencycheck 7.1.1

The verification failed for the POM

      <component group="org.owasp" name="dependency-check-gradle" version="7.1.1">
         <artifact name="dependency-check-gradle-7.1.1.pom">
            <ignored-keys>
               <ignored-key id="259a55407dd6c00299e6607effde55be73a2d1ed" reason="PGP verification failed"/>
            </ignored-keys>
            <sha256 value="8874490cd13af261f2e4c409a7dc7bd949a630c4082f7d33069fa1e6f579970e" origin="Generated by Gradle because PGP signature verification failed!"/>
         </artifact>
      </component>

the key in use appears to be the right key, but when we compute the sha256 we get a different value than is provided for the dependency-check-gradle-7.1.1.pom

$ shasum -a 256 dependency-check-gradle-7.1.1.pom 
8874490cd13af261f2e4c409a7dc7bd949a630c4082f7d33069fa1e6f579970e  dependency-check-gradle-7.1.1.pom

This is from maven...

curl -X GET "https://repo1.maven.org/maven2/org/owasp/dependency-check-gradle/7.1.1/dependency-check-gradle-7.1.1.pom.sha256"                                                             
09b6282b5af38b54e0fa661628b151592b981a6846b2aa598655c0f8b893086a

I am unsure as to why only this one file has a different sha256, the rest of the files appear to be valid. Any ideas on cause and a solution?

[NickPadilla]

Going to check and see if it is possibly the maven mirror that I causing issues.

[jeremylong]

I love gradle sometimes...

• https://repo1.maven.org/maven2/org/owasp/dependency-check-gradle/7.1.2/dependency-check-gradle-7.1.2.pom
• https://plugins.gradle.org/m2/org/owasp/dependency-check-gradle/7.1.2/dependency-check-gradle-7.1.2.pom

Anyone know what to fix in the build.gradle so that these files match going forward?