JAR checksum of Maven artifact doesn't match GitHub release

[der-eismann]

We noticed this while updating our local java environment. Is there a specific reason for this? Previously this was never an issue and paranoid minds would think of manipulation here.

$ curl -O https://repo1.maven.org/maven2/com/datadoghq/dd-java-agent/1.31.2/dd-java-agent-1.31.2.jar
$ sha256sum dd-java-agent-1.31.2.jar
eb4e093aefb2d554b950ecdc9043f198f706b6ca899fce9454e2ee4f8142539d  dd-java-agent-1.31.2.jar
$ curl -LO https://github.com/DataDog/dd-trace-java/releases/download/v1.31.2/dd-java-agent-1.31.2.jar
$ sha256sum dd-java-agent-1.31.2.jar
e640c478cd3cd9c371d1a5ccfe95b77050fc892230e3f4146b3dbb2d7922f807  dd-java-agent-1.31.2.jar

[randomanderson]

This is probably related to https://github.com/DataDog/dd-trace-java/pull/6651 . I believe the sonatype release process itself rebuilds the jar which leads to the difference.

I'll investigate on Monday

[der-eismann]

Hey @randomanderson, any results from your investigation?

[randomanderson]

@der-eismann That PR highlighted a much bigger issue. Different jobs are rebuilding the jar instead of reusing previously built artifacts. That includes more than just maven vs github release artifacts. For example, kubernetes lib injection images, circleci, etc all have different checksums.

I'm currently working on a larger fix for all of it.

[PerfectSlayer]

This PR #6939 from @randomanderson should address the issue.

[randomanderson]

#7148 aligns the checksums.

[github-actions[bot]]

:robot: This issue has been addressed in the latest release. See full details in the Release Notes.