I want to generate a reproducible checksum for my output files (e.g. *.jar) such that other developers or testers could notice when there are any changes. From reproducible builds website https://reproducible-builds.org/docs/jvm/, I could now generate a checksum in .buildinfo file with mvn artifact:buildinfo.
However from online, I found there are very few resources or examples related to that. I doubt if it is a good way to do so or if there are any best practices related to that. Grateful if anyone could provide me some suggestions or references. Thanks!
Your use case sounds like you need a signed jar. The signed jar consists of a normal jar file, but for each contained file a digest (checksum) is generated and placed in the manifest.
This alone would not help to figure out the jar has not been tampered with, since an attacker could not only change the files but also deliver the matching digests. Therefore the manifest also contains a digital signature that identifies the file came from you only. This way users of the file can easily verify that the jar is in the way you intended it to be
See https://docs.oracle.com/javase/tutorial/deployment/jar/signindex.html