3

When me and my team have to push a new maven artifact release to central, the procedure we use is:

mvn release:clean
mvn release:prepare
mvn release:perform

And everything works fine.

Of course, the pom.xml contains the reference to the maven gpg plugin to seal the jars:

 ...
<build>
<plugins>
  ....
  <plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-gpg-plugin</artifactId>
    <version>1.6</version>
    <executions>
      <execution>
        <id>sign-artifacts</id>
        <phase>verify</phase>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
    </executions>
  </plugin>
   ....
</plugins>
</build>
....

Or the mvn release:perform fails:

But during development, some of us don't/can't have the gpg.exe program installed or the signature key (only the main dev has the correct one that seals the final jars).

So if we locally do mvn clean install or other type of commands, the procedure fails and we cannot have a local modified jar into .m2 folder while developing.

What is the best practice to do che package signature only when doing the command mvn release:perform?

Marco Vasapollo
  • 509
  • 5
  • 16

1 Answers1

0

Release and sign the artifact has been already solved. You can use a profile which will be activate the sign plugin. More detail information and the story behind will be found here https://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/.

<profiles>
  <profile>
      <id>release-sign-artifacts</id>
      <activation>
        <property>
          <name>performRelease</name>
          <value>true</value>
        </property>
      </activation>
      <build>
        <plugins>
          <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-gpg-plugin</artifactId>
            <executions>
              <execution>
                <id>sign-artifacts</id>
                <phase>verify</phase>
                <goals>
                  <goal>sign</goal>
                </goals>
              </execution>
            </executions>
          </plugin>
        </plugins>
      </build>
  </profile>
</profiles>
Ben Asmussen
  • 964
  • 11
  • 15
  • Already tried the solution on that site and does not work. First of all it's syntactly incorrect because says: '[WARNING] Some problems were encountered while building the effective settings [WARNING] Unrecognised tag: 'build' (position: START_TAG seen ...\r\n\t\t\t.'. It does not work even if i use -DperformRelease=true in command line – Marco Vasapollo Jun 23 '19 at 20:32
  • @MarcoVasapollo The `profiles` section as described on the page is OK. It doesn't explain how the profile is activated though. It should be activated using `useReleaseProfile` or `releaseProfiles` configuration properties of deploy plugin, as documented. – Pawel Veselov Aug 10 '20 at 22:32