[
http://jira.codehaus.org/browse/MREPOSITORY-25?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=234304#action_234304
]
Juven Xu commented on MREPOSITORY-25:
-------------------------------------
yes, people can first build all the stuff and install them into local
repository:
{noformat}
$ mvn clean source:jar javadoc:jar package gpg:sign install:install
-Dgpg.passphrase=xx
{noformat}
then cd to another directory which does not has any pom.xml, pack the bundle
{noformat}
$ mvn repository:bundle-pack
[INFO] --- maven-repository-plugin:2.3.1:bundle-pack (default-cli) @
standalone-pom ---
[INFO] groupId?
org.sonatype
[INFO] artifactId?
bundle
[INFO] version?
1.0-SNAPSHOT
{noformat}
note that you have to manually specify the GAV of your project, that's how
repository:bundle-pack works
I tried the cmd in our doc in a test project, the signature is correct even the
jar was recreated, I agree it's a problem anyway, but the _correct_ solution
above is still a problem IMO, specifying GAV manually seems needless in this
situation.
So, if maven-repository-plugin can provide a goal to only pack artifacts from
project target, that's would be best
> bundle-create creates jar making a preceding gpg:sign step invalid
> ------------------------------------------------------------------
>
> Key: MREPOSITORY-25
> URL: http://jira.codehaus.org/browse/MREPOSITORY-25
> Project: Maven 2.x Repository Plugin
> Issue Type: Bug
> Affects Versions: 2.3.1
> Environment: Ubuntu 10.4, Sun Java 1.6.0_20, Maven 2.2.1
> Reporter: Anthony Whitford
>
> Despite following instructions found here:
>
> https://docs.sonatype.org/display/Repository/Uploading+3rd-party+Artifacts+to+Maven+Central
> I ran into a problem uploading the bundle to Sonatype's Staging area.
> Specifically, I received an *Invalid Signature* error for the main jar
> artifact.
> Sure enough, I ran the following: {noformat}gpg --verify
> foo.jar.asc{noformat}
> and it confirmed that the signature was "BAD."
> Upon further investigation, it would seem that the problem is that the
> repository:bundle-create goal is recreating the jar file, so the
> command:{noformat}mvn source:jar javadoc:jar package gpg:sign
> repository:bundle-create -Dgpg.passphrase=xx{noformat}
> seems to be creating the jar, signing it, and then creating the jar again --
> resulting in an invalid gpg signature for the jar.
> Note that my pom does not include a gpg signing step -- that is why it is
> part of the command line. My guess is that configuring the maven-gpg-plugin
> in the project pom may make this work -- but I did not have the luxury of
> being able to do that this time.
> The bundle-create goal needs to not recreate the jar file -- just make the
> bundle. Or clarify the documentation.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
