NOTE: The current preferred location for bug reports is the GitHub issue tracker.
Bug 924 - Automate GPG signing of the Maven bundle using incantations in pom.xml
Automate GPG signing of the Maven bundle using incantations in pom.xml
Status: REOPENED
Product: Validator.nu
Classification: Unclassified
Component: HTML parser
HEAD
All All
: P2 normal
Assigned To: Nobody
Depends on:
Blocks: 923
  Show dependency treegraph
 
Reported: 2012-05-24 11:43 CEST by Henri Sivonen
Modified: 2015-03-31 03:14 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Henri Sivonen 2012-05-24 11:43:20 CEST

    
Comment 1 Henri Sivonen 2012-05-24 11:47:42 CEST
It appears that the new rules for the Maven Central Repository require generating a GPG signature using the Maven plug-in.

This bug is about adding the right incantations into pom.xml.
Comment 2 Romain Deltour 2012-05-24 23:52:28 CEST
I think full automation requires using the Maven Release Plugin:
http://maven.apache.org/plugins/maven-release-plugin/

but it entails much more than locally creating a signed bundle, notably it automatically updates the version number, tag the SCM and commit, etc.

Alternatively, it seems you can invoke the GPG plugin and create the required signed bundle without modifying the POM by invoking:

mvn clean source:jar javadoc:jar package gpg:sign repository:bundle-create
Comment 3 Henri Sivonen 2012-06-05 14:39:27 CEST
Thank you. The incantation in comment 2 appears to work.
Comment 4 Henri Sivonen 2012-06-05 15:59:11 CEST
This doesn't actually work quite right. After the code signing phase, htmlparser-1.4.jar is rebuilt. The rebuilt jar contains the same files as the jar that was present during signing and is of the same length but has different bytes, so the signature is rendered invalid. The signatures for the other files in the bundle are okay.

For the 1.4 release, I corrected this problem manually.
Comment 5 Romain Deltour 2012-06-05 16:03:57 CEST
Mmmm. Just a thought: have you tried with the approach B from issue #921 ? It might ork better as there is no "forced cleanup" of built files...
Comment 6 Michael[tm] Smith 2015-03-31 03:14:24 CEST
Dunno if you've since resolved this, but fwiw I recently added a target to the validator build script that fully automates deployment to Central—

https://github.com/validator/validator/blob/master/build/build.py#L833

That uses the "gpg:sign-and-deploy-file" plugin—

http://maven.apache.org/plugins/maven-gpg-plugin/sign-and-deploy-file-mojo.html