Have you ever tried to compile twice the same sources with Maven and compared the hashes of the generated artifacts? They are not the same! Maven is not able to build an artifact in a real reproducible (i.e. byte-for-byte) way.
NOTE: Recent versions of the main Maven plugins have been modified to allow reproducible builds without the use of this plugin. See Configuring for Reproducible Builds for more details.
This Maven plugin tries to strip "non reproducible" data from the generated artifacts. It follows the same goals as Debian's Reproducible Builds project but at the modest scale of a Maven project. You can also have a look at my Devoxx France 2016 talk "Bit-for-bit reproducible builds with Maven".
Using this plugin is a no-brainer: simply add it to your pom and it will try to "automagically" make the build byte-for-byte reproducible.
NOTE: This plugin requires Java 8 or later.
There are several goals:
NOTE: As of version 0.5, the "strip-jar" goal also processes TAR/TAR.GZ/TAR.BZ2 files.
If you find other interesting sources of "non reproducible" data that this plugin could remove, please open a ticket in the bug tracker or send a pull request.
Please note that you must use the same compiler (and possibly Maven) version to get the same results. You can use the maven-enforcer-plugin for that, or use a tool like moot to download and use the JDK and Maven versions people need to use for the build.