It appears that the new rules for the Maven Central Repository require generating a GPG signature using the Maven plug-in.

This bug is about adding the right incantations into pom.xml.

I think full automation requires using the Maven Release Plugin:
http://maven.apache.org/plugins/maven-release-plugin/

but it entails much more than locally creating a signed bundle, notably it automatically updates the version number, tag the SCM and commit, etc.

Alternatively, it seems you can invoke the GPG plugin and create the required signed bundle without modifying the POM by invoking:

mvn clean source:jar javadoc:jar package gpg:sign repository:bundle-create

Thank you. The incantation in comment 2 appears to work.

This doesn't actually work quite right. After the code signing phase, htmlparser-1.4.jar is rebuilt. The rebuilt jar contains the same files as the jar that was present during signing and is of the same length but has different bytes, so the signature is rendered invalid. The signatures for the other files in the bundle are okay.

For the 1.4 release, I corrected this problem manually.

Mmmm. Just a thought: have you tried with the approach B from issue #921 ? It might ork better as there is no "forced cleanup" of built files...

Dunno if you've since resolved this, but fwiw I recently added a target to the validator build script that fully automates deployment to Central—

https://github.com/validator/validator/blob/master/build/build.py#L833

That uses the "gpg:sign-and-deploy-file" plugin—

http://maven.apache.org/plugins/maven-gpg-plugin/sign-and-deploy-file-mojo.html