On 08/06/10 16:52, Bruno Harbulot wrote:
On 08/06/10 15:24, Bruno Harbulot wrote:
I'm trying to follow the procedure for manual upload as described on
this page:
http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/
I've set up my GPG key and it seems to work mostly well, except that the
.asc file produced by this is incorrect:
$ mvn source:jar javadoc:jar package gpg:sign repository:bundle-create
$ cd target
$ gpg --verify ....jar.asc
gpg: Signature made Tue 08 Jun 2010 15:17:32 BST using RSA key ID
E39C0477
gpg: BAD signature from "..."
In contrast, if I don't use repository:bundle-create, it works fine:
$ mvn source:jar javadoc:jar package gpg:sign
$ cd target
$ gpg --verify ....jar.asc
gpg: Signature made Tue 08 Jun 2010 15:19:25 BST using RSA key ID
E39C0477
gpg: Good signature from "..."
Any idea what I might be doing wrong? I've tried with and without the
explicit plugin settings in the POM file as described on this page, but
this doesn't change the outcome:
http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven/
I've looked a bit further into this problem.
It looks like repository:bundle-create modifies the content of the jar
file it bundles (not the bundle, but the artifact bundled).
The only modifications I can see in the jar is the change of timestamp
of this file (and containing directories):
META-INF/maven/<groupdId>/<artifactId>/pom.properties
and
META-INF/maven/remote-resources.xml
The actual content is unchanged. However insignificant, these changes
modify the jar file and thus breaks the signature.
It seems to be due to the fact repository:bundle-create runs jar:jar
again. Is it possible to tell it to skip it when running
repository:bundle-create?
I've worked around the problem by putting this in the POM:
<profiles>
<profile>
<activation>
<property>
<name>performRelease</name>
<value>true</value>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<executions>
<execution>
<phase>package</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
Then, I've used this, without gpg:sign:
mvn -DperformRelease=true clean source:jar javadoc:jar install
repository:bundle-create
After that, the upload to oss.sonatype.org worked just fine!
Best wishes,
Bruno.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@maven.apache.org
For additional commands, e-mail: users-h...@maven.apache.org