From 1dab82a4993e644f7d63be4a6d7f16e9c58dd8f2 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 28 Jan 2026 14:31:59 +0100
Subject: [PATCH 1/6] introduce for each maven dependency a version property

---
 pom.xml | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/pom.xml b/pom.xml
index 652f1c9..9d9947d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -31,9 +31,19 @@
 		<jmh.version>1.37</jmh.version>
 
 		<!-- build plugin dependencies -->
+		<central-publishing.version>0.10.0</central-publishing.version>
 		<dependency-check.version>12.1.9</dependency-check.version>
+		<exec-maven.version>3.6.2</exec-maven.version>
 		<jacoco.version>0.8.14</jacoco.version>
-		<central-publishing.version>0.7.0</central-publishing.version>
+		<mvn-compiler.version>3.14.1</mvn-compiler.version>
+		<mvn-enforcer.version>3.6.2</mvn-enforcer.version>
+		<mvn-javadoc.version>3.12.0</mvn-javadoc.version>
+		<mvn-jar.version>3.5.0</mvn-jar.version>
+		<mvn-gpg.version>3.2.8</mvn-gpg.version>
+		<mvn-resources.version>3.3.1</mvn-resources.version>
+		<mvn-shade.version>3.6.1</mvn-shade.version>
+		<mvn-source.version>3.4.0</mvn-source.version>
+		<mvn-surefire.version>3.5.4</mvn-surefire.version>
 
 		<!-- Property used by surefire to determine jacoco engine -->
 		<surefire.jacoco.args />
@@ -134,7 +144,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-enforcer-plugin</artifactId>
-				<version>3.6.2</version>
+				<version>${mvn-enforcer.version}</version>
 				<executions>
 					<execution>
 						<id>enforce-java</id>
@@ -154,7 +164,7 @@
 			</plugin>
 			<plugin>
 				<artifactId>maven-compiler-plugin</artifactId>
-				<version>3.14.1</version>
+				<version>${mvn-compiler.version}</version>
 				<configuration>
 					<encoding>UTF-8</encoding>
 					<showWarnings>true</showWarnings>
@@ -192,7 +202,7 @@
 			</plugin>
 			<plugin>
 				<artifactId>maven-shade-plugin</artifactId>
-				<version>3.6.1</version>
+				<version>${mvn-shade.version}</version>
 				<executions>
 					<execution>
 						<phase>package</phase>
@@ -230,7 +240,7 @@
 			<plugin>
 				<groupId>org.codehaus.mojo</groupId>
 				<artifactId>exec-maven-plugin</artifactId>
-				<version>3.6.2</version>
+				<version>${exec-maven.version}</version>
 				<executions>
 					<execution>
 						<phase>package</phase>
@@ -254,7 +264,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-surefire-plugin</artifactId>
-				<version>3.5.4</version>
+				<version>${mvn-surefire.version}</version>
 				<configuration>
 					<argLine>@{surefire.jacoco.args} -Dnet.bytebuddy.experimental=true</argLine>
 				</configuration>
@@ -262,7 +272,7 @@
 			<plugin>
 				<groupId>org.apache.maven.plugins</groupId>
 				<artifactId>maven-jar-plugin</artifactId>
-				<version>3.5.0</version>
+				<version>${mvn-jar.version}</version>
 				<configuration>
 					<archive>
 						<manifestEntries>
@@ -274,7 +284,7 @@
 			</plugin>
 			<plugin>
 				<artifactId>maven-source-plugin</artifactId>
-				<version>3.4.0</version>
+				<version>${mvn-source.version}</version>
 				<executions>
 					<execution>
 						<id>attach-sources</id>
@@ -286,7 +296,7 @@
 			</plugin>
 			<plugin>
 				<artifactId>maven-javadoc-plugin</artifactId>
-				<version>3.12.0</version>
+				<version>${mvn-javadoc.version}</version>
 				<executions>
 					<execution>
 						<id>attach-javadocs</id>
@@ -394,7 +404,7 @@
 				<plugins>
 					<plugin>
 						<artifactId>maven-gpg-plugin</artifactId>
-						<version>3.2.8</version>
+						<version>${mvn-gpg.version}</version>
 						<executions>
 							<execution>
 								<id>sign-artifacts</id>

From be4aafd37f2cc579bd398434e12e45840c853b76 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 28 Jan 2026 14:34:10 +0100
Subject: [PATCH 2/6] add project timestamp property

---
 pom.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pom.xml b/pom.xml
index 9d9947d..1eb6aa0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -16,6 +16,7 @@
 	<properties>
 		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 		<maven.compiler.release>8</maven.compiler.release>
+		<project.build.outputTimestamp>2026-01-28T08:00:00Z</project.build.outputTimestamp>
 
 		<!-- dependencies -->
 		<gson.version>2.12.1</gson.version>

From 81a4d824ef3d55bb34650b96579176efb9ea9d7d Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 28 Jan 2026 15:54:06 +0100
Subject: [PATCH 3/6] pin version for plugins used in mavens built-in lifecycle

---
 pom.xml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/pom.xml b/pom.xml
index 1eb6aa0..9a62a48 100644
--- a/pom.xml
+++ b/pom.xml
@@ -37,7 +37,10 @@
 		<exec-maven.version>3.6.2</exec-maven.version>
 		<jacoco.version>0.8.14</jacoco.version>
 		<mvn-compiler.version>3.14.1</mvn-compiler.version>
+		<mvn-clean.version>3.5.0</mvn-clean.version>
+		<mvn-deploy.version>3.1.4</mvn-deploy.version>
 		<mvn-enforcer.version>3.6.2</mvn-enforcer.version>
+		<mvn-install.version>3.1.4</mvn-install.version>
 		<mvn-javadoc.version>3.12.0</mvn-javadoc.version>
 		<mvn-jar.version>3.5.0</mvn-jar.version>
 		<mvn-gpg.version>3.2.8</mvn-gpg.version>
@@ -336,6 +339,23 @@
 					</tags>
 				</configuration>
 			</plugin>
+
+			<!-- for reproducible builds, fix version for plugins bound in built-in jar lifecycle -->
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-clean-plugin</artifactId>
+				<version>${mvn-clean.version}</version>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-install-plugin</artifactId>
+				<version>${mvn-install.version}</version>
+			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-deploy-plugin</artifactId>
+				<version>${mvn-deploy.version}</version>
+			</plugin>
 		</plugins>
 	</build>
 

From 5fd8f32c600f4c875ee270d9b0cf1a1a51161feb Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 28 Jan 2026 16:41:51 +0100
Subject: [PATCH 4/6] keep timestamp when creating multi-release jar

---
 pom.xml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pom.xml b/pom.xml
index 9a62a48..c2f45b4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -257,6 +257,7 @@
 							<arguments>
 								<argument>--verbose</argument>
 								<argument>--update</argument>
+								<argument>--date=${project.build.outputTimestamp}</argument>
 								<argument>--file=${project.build.directory}/${project.build.finalName}.jar</argument>
 								<argument>META-INF/versions/9/module-info.class</argument>
 								<argument>META-INF/versions/22/module-info.class</argument>

From a2b76a29decf65ba6f136628220fc33ca662fc37 Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 28 Jan 2026 17:06:43 +0100
Subject: [PATCH 5/6] pin version of maven resources plugin

---
 pom.xml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pom.xml b/pom.xml
index c2f45b4..666c26f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -357,6 +357,11 @@
 				<artifactId>maven-deploy-plugin</artifactId>
 				<version>${mvn-deploy.version}</version>
 			</plugin>
+			<plugin>
+				<groupId>org.apache.maven.plugins</groupId>
+				<artifactId>maven-resources-plugin</artifactId>
+				<version>${mvn-resources.version}</version>
+			</plugin>
 		</plugins>
 	</build>
 

From db5e46ba9c6fbf880531a6b53fc5693bf71f203d Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Wed, 28 Jan 2026 17:17:48 +0100
Subject: [PATCH 6/6] [skip ci] update changelog

---
 CHANGELOG.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4db04e7..5f1c17c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,7 @@ Changes to prior versions can be found on the [Github release page](https://gith
 ### Added
 - Changelog file
 - Maven wrapper script ([#103](https://github.com/cryptomator/cryptolib/pull/103))
+- Locally reproducible builds ([#106](https://github.com/cryptomator/cryptolib/pull/106))
 
 ### Changed
 - Pin CI actions
\ No newline at end of file