Gradle signature verification fails when gradle module metadata uses a relative path redirect

[liutikas]

Current Behavior

Guava started publishing artifacts with gradle module metadata. Their metadata uses

      "files": [
        {
          "name": "guava-32.1.3-jre.jar",
          "url": "../32.1.3-jre/guava-32.1.3-jre.jar"
        }
      ],

in https://repo1.maven.org/maven2/com/google/guava/guava/32.1.3-android/guava-32.1.3-android.module for making sure that consumers get the correct variant.

Gradle signature verification fails in such a "swap". It does not even seem to find .asc file as it only does checksum verification.

Dependency verification failed for configuration ':app:debugRuntimeClasspath'
One artifact failed verification: guava-32.1.3-android.jar (com.google.guava:guava:32.1.3-jre) from repository MavenRepo

Expected Behavior

Signature verification passes as ../32.1.3-jre/guava-32.1.3-jre.jar.asc exists and is valid

Context (optional)

Additional details in the guava tracker google/guava#7154

Steps to Reproduce

1. Check out https://github.com/liutikas/guava-signature-repro
2. ./gradlew assembleDebug

Gradle version

8.7

Build scan URL (optional)

https://scans.gradle.com/s/bcgzjbu55sm7y

Your Environment (optional)

No response

[ov7a]

The issue is in the backlog of the relevant team and is prioritized by them.