How to set up Maven project to optionally generate signature files

Question

I maintain a small Java component published in Maven Central. In order to successfully publish the artifact, pgp/gpg signature files are required for all the artifacts. Following the directions here: https://central.sonatype.org/pages/apache-maven.html#gpg-signed-components, I can add this plugin to my pom.xml like this no problem.

 <build>
   <plugins>
     <plugin>
       <groupId>org.apache.maven.plugins</groupId>
       <artifactId>maven-gpg-plugin</artifactId>
       ...

and I attach it to the verify or install phase. Now, when I run: "mvn install" or "mvn deploy" the .asc files are generated automatically as desired. Note: you also have to have your pgp/gpg machinery installed and configured properly for this to work.

This works OK for me as the artifact maintainer, but if someone else wants to clone my source code, modify it, and then run mvn install, so they can make a locally modified version of the component available to other projects of theirs, they have to have all this pgp/gpg machinery setup properly too, which can be a pain. And they likely don't care about having signature files.

My question is, is there a recommended POM setup, so the component maintainer can generate the .asc signature files when needed for a deployment (e.g., to Maven Central), but normal usage of Maven commands don't require signature generation?

I imagine I could use a profile in my pom to handle this. I did figure out a solution, which is pretty simple. Rather than adding the maven-gpg-plugin to my pom, I figured out I can actually just do this:

mvn clean install org.apache.maven.plugins:maven-gpg-plugin:sign deploy

This cleans everything, creates and installs all the artifacts locally, signs all the generated artifacts, and then deploys all the generated artifacts, including the signature files to the deployment target.

This does exactly what I want in 1 line without a pom modification, which is pretty cool. But are there other 'better' ways? Either way, I figured posting this way to do this might be helpful to others.

Actually, it turns out the maven command "mvn clean install org.apache.maven.plugins:maven-gpg-plugin:sign deploy" only LOOKS like it works. But if you locally verify the generated signatures (e.g., gpg --verify target/LIBNAME-1.x.y.jar.asc), the signatures are BAD, because the deploy step at the very end regenerates all the artifacts AFTER the .asc files have been created on the versions of the artifacts generated in the install step. So, I'm still looking for a good solution to this. I've seen some tools build a new 'deploy-only' phase that simply deploys what exists. But not Maven (yet?) — Dave Wichers, Jun 23 '20 at 21:43

score 0 · Answer 1 · answered Dec 27 '20 at 11:50

maven profile

One way using maven-gpg-plugin conditional it is put configuration of maven-gpg-plugin in profile.

You can simplify your profile by only add one property for skip / don't skip maven-gpg-plugin

Your project can look like:

<project ...>

   <properties>
        <gpg.skip>true</gpg.skip><!-- by default skip gpg -->
    </properties>

    <build>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-gpg-plugin</artifactId>
                <version>1.6</version>
                <configuration>
                    <!-- ... -->
                </configuration>
            </plugin>
        </plugins>
    </build>

    <profiles>
        <profile>
            <id>release</id>
            <properties>
                <gpg.skip>false</gpg.skip>
            </properties>
        </profile>
    </profiles>

</project>

another plugin

You can also consider use another plugin for making signatures, eg: https://www.simplify4u.org/sign-maven-plugin/ sign-maven-plugin by default skips execution if private key not exist on running system.

Another feature of sign-maven-plugin is that don't need external software like gpg to make signature.

Thanks!! The true idea worked like a champ! To invoke, just run: mvn clean deploy -Prelease. And it 'just works'. — Dave Wichers, Dec 28 '20 at 17:01
if answer is usable for you you can accept it or/and vote https://stackoverflow.com/help/someone-answers — Slawomir Jaranowski, Dec 29 '20 at 21:30
I'd like to test the other plugin first before I accept it. I can't upvote it as I don't have enough privilege yet to do that :-( — Dave Wichers, Dec 30 '20 at 22:49

rstolle · Answer 2 · 2021-11-07T19:55:13.143

gpp.skip property

In my poms I set the gpp.skip property to true:

<properties>
    <gpg.skip>true</gpg.skip>
</properties>

Its evaluated by the maven gpg plugin in the way, that signing is skipped by default, e.g.:

mvn install

To enable signing, you can set gpp.skip to false within pom.xml. But better you do it on the command line, so you don't have to modify your pom all the time:

mvn install -Dgpg.skip=false

You can also skip setting the property within the pom and skip signing like this:

mvn install -Dgpg.skip=true

But this way you (and other people working with your project) have to add this all the time to avoid signing. I find it more convenient when signing is turned off by default, as in the first solution. And I guess that's what you want.

How to set up Maven project to optionally generate signature files

2 Answers2

maven profile

another plugin

gpp.skip property