5

This is a very silly question, but I'm having trouble configuring the maven-gpg-plugin on my POM to work properly. Basically I want it to sign artifacts only when I run mvn deploy, as to not ask my password (to decrypt my private key) when I run a clean install. It seems reasonable that anyone that download my project on github should be able to run clean install even without my private key.

Ok, so I thought of doing this:

<plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-gpg-plugin</artifactId>
        <version>1.6</version>
        <executions>
                <execution>
                        <id>sign-artifacts</id>
                        <phase>deploy</phase>
                        <goals>
                                <goal>sign</goal>
                        </goals>
                </execution>
        </executions>
</plugin>

But that doesn't work, as the OSS Sonatype will complain the artifacts are not signed. If I replace the deploy (which should work fine) phase with the ìnstall phase, then it signs properly for OSS Sonatype when I run mvn deploy, but then it runs even when I run mvn install (which I do not wish). What am I missing?

Tunaki
  • 132,869
  • 46
  • 340
  • 423
Luan Nico
  • 5,376
  • 2
  • 30
  • 60
  • So you want to sign the deployed artifact but not the installed artifact. Why? This is a bit weird to deploy something that you don't install. Not even sure it'd work actually. – Tunaki Apr 24 '16 at 14:05
  • 1
    Take a look at this article http://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/ – Tunaki Apr 24 '16 at 14:13
  • @Tunaki what I want is to be able to deploy from my computer to maven central with `mvn deploy`, but also let anyone be able to run `mvn clean install` from any computer, even if they don't have my credentials. I see no reason to sign the artifacts when I run an install, only when I run a deploy command. – Luan Nico Apr 24 '16 at 14:17
  • 1
    Yes, then your best bet is to use a specific profile for that, as shown the article I linked you to. – Tunaki Apr 24 '16 at 14:18
  • @Tunaki thats a good idea :) Then I can run something like `mvn deploy -Pdeploy` and not tamper with everybody else's clean installs. – Luan Nico Apr 24 '16 at 14:20

1 Answers1

6

There are no phase called pre-deploy in the Maven lifecycle that would be executed before a deployment. It was proposed in MNG-3869, but this was closed as "Won't Fix", and also mentioned in MNG-4330.

Currently, this is a job for a profile. In the following configuration, the maven-gpg-plugin will only be executed when the deploy profile is activated, for example on the command line with mvn clean deploy -Pdeploy.

This way, when you want to deploy, you can activate this profile. But when users will run a mvn clean install, it won't be activated.

<profiles>
  <profile>
    <id>deploy</id>
    <build>
      <plugins>
        <plugin>
          <groupId>org.apache.maven.plugins</groupId>
          <artifactId>maven-gpg-plugin</artifactId>
          <executions>
            <execution>
              <id>sign-artifacts</id>
              <phase>verify</phase>
              <goals>
                <goal>sign</goal>
              </goals>
            </execution>
          </executions>
        </plugin>
      </plugins>
    </build>
  </profile>
</profiles>
Tunaki
  • 132,869
  • 46
  • 340
  • 423