diff --git a/gradle/build.gradle b/gradle/build.gradle
index 4adb4af10..ec8f25e54 100644
--- a/gradle/build.gradle
+++ b/gradle/build.gradle
@@ -44,8 +44,13 @@ subprojects {
     mavenCentral()
   }
 
+  def services = [':services:default',
+                  ':services:backend',
+                  ':services:tools',
+                  ':services:pubapi']
+
   // Set up all of the deployment projects.
-  if (project.name in ['default', 'backend', 'tools', 'pubapi']) {
+  if (services.contains(project.path)) {
 
     apply plugin: 'war'
 
diff --git a/gradle/core/build.gradle b/gradle/core/build.gradle
index 19c226b8d..585b40a04 100644
--- a/gradle/core/build.gradle
+++ b/gradle/core/build.gradle
@@ -444,3 +444,24 @@ test {
   maxParallelForks 5
 }.dependsOn(fragileTest, outcastTest)
 
+task nomulus(type: Jar) {
+  manifest {
+    attributes 'Main-Class': 'google.registry.tools.RegistryTool'
+  }
+  zip64 = true
+  baseName = 'nomulus'
+  version = null
+  from {
+    configurations.runtimeClasspath.collect {
+      it.isDirectory() ? it : zipTree(it)
+    }
+  }
+  // Excludes signature files that accompany some dependency jars, like
+  // bonuncycastle. It they are present, only classes from those signed jars are
+  // made available to the class loader.
+  // see https://discuss.gradle.org/t/signing-a-custom-gradle-plugin-thats-downloaded-by-the-build-system-from-github/1365
+  exclude "META-INF/*.SF", "META-INF/*.DSA", "META-INF/*.RSA"
+  with jar
+  dependsOn project(':third_party').jar
+}
+