Gradle makes it quite easy to start a new project with a Gradle wrapper and the gradle-wrapper.properties file that points to a Gradle distribution zip:

distributionUrl=https\://services.gradle.org/distributions/gradle-7.5.1-bin.zip

Most people ever interact with this part of their build when they bump a Gradle version, but have you ever peeked inside this zip to see what you are downloading?

In Gradle Security Considerations I called out that you likely want to set distributionSha256Sum to make sure you are getting the same zip every time. Gradle is an open-source project, so we can go one step further - we can validate that the zip is reproducible. To do that, we follow the following steps:

1. Clone Gradle git repository
2. Check out the release tag for the version we care about (in this case 7.5.1).
3. Set your JAVA_HOME to a distribution of JDK 11 (in my case Zulu 11.0.13)
4. ./gradlew :distributions-full:binDistributionZip -PfinalRelease
5. Compare Gradle published zip and subprojects/distributions-full/build/distributions/gradle-7.5.1-bin.zip

When doing the comparison I found that everything inside was identical except for 2 jars: lib/fastutil-8.5.2.min.jar and lib/gradle-base-services-7.5.1.jar. fastutil jar difference is due to keeping the timestamps in the Minify transform. gradle-base-services difference is due to org/gradle/build-receipt.properties file including a build timestamp. If both of these issues get fixed, future versions of Gradle should result into identical zips when comparing Gradle published binary and a local build of the release commit.

Note, this distribution zip contains more than just 94 jars that are built from sources in the Gradle GitHub repository. This zip also has 139 jars that Gradle build grabs off of maven repositories and the reproducibility of these is more tricky to verify.