CPack RPM may not be the culprit here.
CPack RPM is using rpmbuild command to build RPM, rpmbuild may do some “jar repacking” which implies the checksum change.
See e.g.:
https://bugzilla.redhat.com/show_bug.cgi?id=219731
You can try to disable this by adding:
set(CPACK_RPM_SPEC_MORE_DEFINE "%define __jar_repack %{nil}")
to your CMakeLists.txt