Companies that use bouncy-castle FIPS (https://www.bouncycastle.org/fips-java/) for security/compliance cannot use Gradle signing, because Gradle signing calls “new BouncyCastleProvider()” directly:
./src/main/java/org/gradle/plugins/signing/signatory/pgp/PgpSignatory.java: Security.addProvider(new BouncyCastleProvider());
This causes Gradle to blow up with:
java.lang.NoSuchFieldError: id_hmacWithSHA3_224
at org.bouncycastle.jcajce.provider.digest.SHA3$Mappings.configure(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.loadAlgorithms(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.setup(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.access$ 000 (Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider$ 1 .run(Unknown Source)
at org.bouncycastle.jce.provider.BouncyCastleProvider.<init>(Unknown Source)
at org.gradle.plugins.signing.signatory.pgp.PgpSignatory.<init>(PgpSignatory.java: 45 )
That’s because bc-fips loads its classes ahead of the classes from the bouncy-castle included in gradle-all, and does not include a BouncyCastleProvider. Instead, it supplies BouncyCastleFipsProvider. So what happens is that Gradle tries to construct BouncyCastleProvider from a recent version of bouncy-castle, which has string names of digests, algorithms, etc. that are not supported by {JRE}/lib/ext/bc-fips. Then when it tries to reflect those strings into classes from bc-fips, they’re not there, and kaboom.
Gradle shouldn’t new a provider directly. It should allow the provider to be configured.