Re: Signing when staging with Maven Artifact Resolver Ant Task
> On 7 Mar 2023, at 18:46, Tamás Cservenák wrote: > > Yup, > > invoke gpg with "--armor --detach-sign", this is what maven plugin does: > https://github.com/apache/maven-gpg-plugin/blob/master/src/main/java/org/apache/maven/plugins/gpg/GpgSigner.java#L136-L138 OMG thank you so much, that was the missing piece. 拾 Ciao, seba - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Signing when staging with Maven Artifact Resolver Ant Task
Yup, your signatures are wrong, they are not detached as it seems but full payload? [cstamas@infinity Downloads]$ gpg --verify dsiutils-2.7.3.jar.asc dsiutils-2.7.3.jar gpg: not a detached signature [cstamas@infinity Downloads]$ gpg --verify dsiutils-2.7.3.jar.asc gpg: Signature made 2023. márc. 7., kedd, 19:39:36 CET gpg:using RSA key 0CB5871FB7BF3B351614BBF6CA85FFE638D4407A gpg: Can't check signature: No public key [cstamas@infinity Downloads]$ invoke gpg with "--armor --detach-sign", this is what maven plugin does: https://github.com/apache/maven-gpg-plugin/blob/master/src/main/java/org/apache/maven/plugins/gpg/GpgSigner.java#L136-L138 Also, make sure your public key is available from SKS servers, as Sonatype Nexus will try to fetch it. HTH Tamas On Tue, Mar 7, 2023 at 7:39 PM Sebastiano Vigna wrote: > > > > On 7 Mar 2023, at 17:23, Tamás Cservenák wrote: > > > > Howdy > > > > Could you just invoke gpg cli (that's what maven gpg plugin does as well) > > and just add that file as type "jar.asc"? > > > > I tried that. Apart from a lot of manual fliddling (e.g., the new target > will upload pom.xml, but *not* its signature, etc.) at the end Sonatype > refuses to valide the signatures. Maybe I have to upload something more, > but this stuff was set up 20y ago and worked since then like a charm. > Delving again now in this mess without any migration path is really burning > me out. > > "Failed to validate the pgp signature of > '/it/unimi/dsi/dsiutils/2.7.3/dsiutils-2.7.3-javadoc.jar', check the logs." > > I have looked everywhere in the Sonatype web interface for such logs, with > no results :(. > > Ciao, > > seba > > > - > To unsubscribe, e-mail: users-unsubscr...@maven.apache.org > For additional commands, e-mail: users-h...@maven.apache.org > >
Re: Signing when staging with Maven Artifact Resolver Ant Task
> On 7 Mar 2023, at 17:23, Tamás Cservenák wrote: > > Howdy > > Could you just invoke gpg cli (that's what maven gpg plugin does as well) > and just add that file as type "jar.asc"? > I tried that. Apart from a lot of manual fliddling (e.g., the new target will upload pom.xml, but *not* its signature, etc.) at the end Sonatype refuses to valide the signatures. Maybe I have to upload something more, but this stuff was set up 20y ago and worked since then like a charm. Delving again now in this mess without any migration path is really burning me out. "Failed to validate the pgp signature of '/it/unimi/dsi/dsiutils/2.7.3/dsiutils-2.7.3-javadoc.jar', check the logs." I have looked everywhere in the Sonatype web interface for such logs, with no results :(. Ciao, seba - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Signing when staging with Maven Artifact Resolver Ant Task
Howdy
Could you just invoke gpg cli (that's what maven gpg plugin does as well)
and just add that file as type "jar.asc"?
Hth
Tamas
On Tue, Mar 7, 2023, 18:20 Sebastiano Vigna
wrote:
> Sorry to repost this, but we're really stuck. Sonatype will probably at
> some point update their updated documentation, but it is not clear when.
>
> > On 15 Feb 2023, at 22:48, Sebastiano Vigna
> wrote:
> >
> > Maven Ant Tasks has been retired in favor of Maven Artifact Resolver Ant
> Tasks. There is no official migration path and the documentation is, well,
> OK.
> >
> > We used Maven Ant Tasks to stage our jars into Sonatype for publication
> in Maven Central. I've been able to almost completely replicate that
> behavior in Maven Artifact Resolver Ant Tasks, but I haven't been able to
> sign the jars.
> >
> > Does anybody know how this should be performed? Previously, I'd add a
> >
> > value="org.apache.maven.plugins:maven-gpg-plugin:1.3:sign-and-deploy-file"
> />
> >
> > in the task. Now I have a task
> >
> >
> >
> > ="${maven-staging-repository-url}"/>
> >
> >
> >
> >
> >
> > and it works perfectly, but no signing.
> >
> > Ciao,
> >
> > seba
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
> For additional commands, e-mail: users-h...@maven.apache.org
>
>
Signing when staging with Maven Artifact Resolver Ant Task
Sorry to repost this, but we're really stuck. Sonatype will probably at some
point update their updated documentation, but it is not clear when.
> On 15 Feb 2023, at 22:48, Sebastiano Vigna wrote:
>
> Maven Ant Tasks has been retired in favor of Maven Artifact Resolver Ant
> Tasks. There is no official migration path and the documentation is, well, OK.
>
> We used Maven Ant Tasks to stage our jars into Sonatype for publication in
> Maven Central. I've been able to almost completely replicate that behavior in
> Maven Artifact Resolver Ant Tasks, but I haven't been able to sign the jars.
>
> Does anybody know how this should be performed? Previously, I'd add a
>
> value="org.apache.maven.plugins:maven-gpg-plugin:1.3:sign-and-deploy-file" />
>
> in the task. Now I have a task
>
>
>
> ="${maven-staging-repository-url}"/>
>
>
>
>
>
> and it works perfectly, but no signing.
>
> Ciao,
>
> seba
>
-
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org
Signing when staging with Maven Artifact Resolver Ant Task
Maven Ant Tasks has been retired in favor of Maven Artifact Resolver Ant Tasks. There is no official migration path and the documentation is, well, OK. We used Maven Ant Tasks to stage our jars into Sonatype for publication in Maven Central. I've been able to almost completely replicate that behavior in Maven Artifact Resolver Ant Tasks, but I haven't been able to sign the jars. Does anybody know how this should be performed? Previously, I'd add a in the task. Now I have a task and it works perfectly, but no signing. Ciao, seba - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
