Signing a custom Gradle plugin that's downloaded by the build system from GitHub?

I’m using this code at the moment to download a plugin from GitHub within the build system:

buildscript {
    repositories {
        add(new org.apache.ivy.plugins.resolver.URLResolver()) {
            name = 'GitHub'
addArtifactPattern '[organisation]/[module]/[module]-[revision].[ext]'
    dependencies {
        classpath 'GithubUsername:custom-gradle-plugin:0.1.0'
  apply plugin: "custom-plugin"

At the moment I’m getting the following error:

Could not open cache directory /home/chris/.gradle/caches/1.0-milestone-6/scripts/build_1d06v4bgiuciqqins0mlhdgcne/ProjectScript/no_buildscript.
Cause: Invalid signature file digest for Manifest main attributes

I’m not sure what I need to do to sign a plugin? and why a CacheOpenException wrapped from a java.lang.SecurityException is being thrown?

Any help is appreciated. Thanks.

Ok, this isn’t a problem with Gradle.

I misunderstood what was going on. As my custom plugin is created by fat jar-ing it with it’s dependencies the resulting jar contains PGP signature keys from other libraries. These signatures invalid the plugin package.

For anyone reaching here in the future, my solution was to strip the files during the jar task.

jar {
    // adds runtime dependencies to jar package
    from(configurations.runtime.collect { it.isDirectory() ? it : zipTree(it) }) {
        // remove all signature files
        exclude "META-INF/*.SF"
        exclude "META-INF/*.DSA"
        exclude "META-INF/*.RSA"

Hope this helps.

For my gradle 1.8 installation I had to add “{” and “}” to configuration:

    from({configurations.runtime.collect { it.isDirectory() ? it : zipTree(it) }}) {

Hope this helps someone else. :wink: