Recent versions of Gradle deploy sha256 and sha512 checksum files by default into Maven layout repositories. This is done for both artifacts and maven-metadata.xml files. Note that you will need to set the repository layout to "permissive" in order to be able to deploy these files using Gradle, they will be blocked otherwise.
If you run a "repair - rebuild maven metadata" task against a repository that contains these checksums the sha256 and sha512 files are left in place for maven-metadata.xml files, even though the file itself has changed. This will result in a checksum warning/error in a subsequent Gradle build.
Also note that Maven is now capable of consuming these files:
So this isn't just a Gradle problem.
Expected: We should rebuild these files when rebuilding metadata.