Re: gpg:sign and repository:bundle-create produce bad signatures

Tue, 08 Jun 2010 11:09:17 -0700 


On 08/06/10 16:52, Bruno Harbulot wrote:



On 08/06/10 15:24, Bruno Harbulot wrote:


I'm trying to follow the procedure for manual upload as described on
this page:
http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/



I've set up my GPG key and it seems to work mostly well, except that the
.asc file produced by this is incorrect:

$ mvn source:jar javadoc:jar package gpg:sign repository:bundle-create
$ cd target
$ gpg --verify ....jar.asc
gpg: Signature made Tue 08 Jun 2010 15:17:32 BST using RSA key ID
E39C0477
gpg: BAD signature from "..."


In contrast, if I don't use repository:bundle-create, it works fine:

$ mvn source:jar javadoc:jar package gpg:sign
$ cd target
$ gpg --verify ....jar.asc
gpg: Signature made Tue 08 Jun 2010 15:19:25 BST using RSA key ID
E39C0477
gpg: Good signature from "..."


Any idea what I might be doing wrong? I've tried with and without the
explicit plugin settings in the POM file as described on this page, but
this doesn't change the outcome:
http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven/




I've looked a bit further into this problem.
It looks like repository:bundle-create modifies the content of the jar
file it bundles (not the bundle, but the artifact bundled).
The only modifications I can see in the jar is the change of timestamp
of this file (and containing directories):
META-INF/maven/<groupdId>/<artifactId>/pom.properties
and
META-INF/maven/remote-resources.xml

The actual content is unchanged. However insignificant, these changes
modify the jar file and thus breaks the signature.

It seems to be due to the fact repository:bundle-create runs jar:jar
again. Is it possible to tell it to skip it when running
repository:bundle-create?


I've worked around the problem by putting this in the POM:

        <profiles>
                <profile>
                        <activation>
                                <property>
                                        <name>performRelease</name>
                                        <value>true</value>
                                </property>
                        </activation>
                        <build>
                                <plugins>
                                        <plugin>
                                                
<groupId>org.apache.maven.plugins</groupId>
                                                
<artifactId>maven-gpg-plugin</artifactId>
                                                <executions>
                                                        <execution>
                                                                
<phase>package</phase>
                                                                <goals>
                                                                        
<goal>sign</goal>
                                                                </goals>
                                                        </execution>
                                                </executions>
                                        </plugin>
                                </plugins>
                        </build>
                </profile>
        </profiles>


Then, I've used this, without gpg:sign:

  mvn -DperformRelease=true clean source:jar javadoc:jar install 
repository:bundle-create



After that, the upload to oss.sonatype.org worked just fine!


Best wishes,

Bruno.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org























					Reply via email to