You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@uima.apache.org by Michael Baessler <mb...@michael-baessler.de> on 2008/03/10 15:06:41 UTC
artifact signing does not work properly
I think your current artifact signing does not work properly when using
the Maven build. I think it should work with the following command line
mvn -DsignArtifacts=true clean assembly:assembly
but it doesn't. For me it seems that the signing only works without
using clean and with having already some artifacts in place. This is
caused by the Maven life cycle. The output below shows that the signing
(checksum) task is called before the artifacts are created.
[INFO] Executed tasks
[INFO] [antrun:run {execution: checksum}]
[INFO] Executing tasks
[INFO] Executed tasks
[INFO] [assembly:assembly]
[INFO] Building tar :
D:\code\eclipse330\apache\uimaj-distr\target\uimaj-2.2.2-incubating-bin.tar.gz
The POM executed the signing during the 'package' phase but
assembly:assembly is executed afterwards. I will try to figure out if we
can do the signing after the artifacts are created.
Insights are welcome :-)
-- Michael
Re: artifact signing does not work properly
Posted by Michael Baessler <mb...@michael-baessler.de>.
Michael Baessler wrote:
> Michael Baessler wrote:
>> Michael Baessler wrote:
>>> I think your current artifact signing does not work properly when using
>>> the Maven build. I think it should work with the following command line
>>> mvn -DsignArtifacts=true clean assembly:assembly
>>>
>>> but it doesn't. For me it seems that the signing only works without
>>> using clean and with having already some artifacts in place. This is
>>> caused by the Maven life cycle. The output below shows that the signing
>>> (checksum) task is called before the artifacts are created.
>>>
>>> [INFO] Executed tasks
>>> [INFO] [antrun:run {execution: checksum}]
>>> [INFO] Executing tasks
>>> [INFO] Executed tasks
>>> [INFO] [assembly:assembly]
>>> [INFO] Building tar :
>>> D:\code\eclipse330\apache\uimaj-distr\target\uimaj-2.2.2-incubating-bin.tar.gz
>>>
>>> The POM executed the signing during the 'package' phase but
>>> assembly:assembly is executed afterwards. I will try to figure out if we
>>> can do the signing after the artifacts are created.
>>>
>>> Insights are welcome :-)
>>>
>>> -- Michael
>> So what about doing the following:
>>
>> 1) changing the phase for javadoc and docbook generation from 'package'
>> to 'compile' - this helps us doing these steps before package
>>
>> 2) change the maven-assembly-plugin like:
>> <plugin>
>> <artifactId>maven-assembly-plugin</artifactId>
>> <configuration>
>> <descriptors>
>> <descriptor>src/main/assembly/bin.xml</descriptor>
>> <descriptor>src/main/assembly/src.xml</descriptor>
>> </descriptors>
>> <finalName>uimaj-${uimaj-release-version}</finalName>
>> <tarLongFileMode>gnu</tarLongFileMode>
>> </configuration>
>> <executions>
>> <execution>
>> <id>make-assembly</id>
>> <phase>package</phase>
>> <goals>
>> <goal>attached</goal>
>> </goals>
>> </execution>
>> </executions>
>> </plugin>
>>
>> This executes the assembly step during the package phase.
>>
>> 3) With copying the maven ant-run-plugin at the end of the POM the last
>> step in the build is now the ant-run-plugin checksum task with the
>> execution phase package.
>>
>> To run the assembly build just call
>> mvn clean package
>>
>> This seems to work for me. Any insights, thoughts?
>>
>> -- Michael
> The other solution would be to remove the signing from the Maven build
> and add it to the sign.sh script like
>
> # Create MD5 checksums
> for i in target/${release}*.zip; do md5sum --binary $i > $i.md5; done
> for i in target/${release}*.gz; do md5sum --binary $i > $i.md5; done
> for i in target/${release}*.bz2; do md5sum --binary $i > $i.md5; done
>
> # Create SHA1 checksums
> for i in target/${release}*.zip; do sha1sum --binary $i > $i.sha1; done
> for i in target/${release}*.gz; do sha1sum --binary $i > $i.sha1; done
> for i in target/${release}*.bz2; do sha1sum --binary $i > $i.sha1; done
>
> This is easier, but I have to check if the Maven repository upload
> signing still works.
>
> -- Michael
Maven repository upload still works as expected. So we can go with this
approach.
-- Michael
Re: artifact signing does not work properly
Posted by Michael Baessler <mb...@michael-baessler.de>.
Thilo Goetz wrote:
> Michael Baessler wrote:
>> Michael Baessler wrote:
>>> Michael Baessler wrote:
>>>> I think your current artifact signing does not work properly when using
>>>> the Maven build. I think it should work with the following command line
>>>> mvn -DsignArtifacts=true clean assembly:assembly
>>>>
>>>> but it doesn't. For me it seems that the signing only works without
>>>> using clean and with having already some artifacts in place. This is
>>>> caused by the Maven life cycle. The output below shows that the signing
>>>> (checksum) task is called before the artifacts are created.
>>>>
>>>> [INFO] Executed tasks
>>>> [INFO] [antrun:run {execution: checksum}]
>>>> [INFO] Executing tasks
>>>> [INFO] Executed tasks
>>>> [INFO] [assembly:assembly]
>>>> [INFO] Building tar :
>>>> D:\code\eclipse330\apache\uimaj-distr\target\uimaj-2.2.2-incubating-bin.tar.gz
>>>>
>>>>
>>>> The POM executed the signing during the 'package' phase but
>>>> assembly:assembly is executed afterwards. I will try to figure out
>>>> if we
>>>> can do the signing after the artifacts are created.
>>>>
>>>> Insights are welcome :-)
>>>>
>>>> -- Michael
>>> So what about doing the following:
>>>
>>> 1) changing the phase for javadoc and docbook generation from 'package'
>>> to 'compile' - this helps us doing these steps before package
>>>
>>> 2) change the maven-assembly-plugin like:
>>> <plugin>
>>> <artifactId>maven-assembly-plugin</artifactId>
>>> <configuration>
>>> <descriptors>
>>> <descriptor>src/main/assembly/bin.xml</descriptor>
>>> <descriptor>src/main/assembly/src.xml</descriptor>
>>> </descriptors>
>>> <finalName>uimaj-${uimaj-release-version}</finalName>
>>> <tarLongFileMode>gnu</tarLongFileMode>
>>> </configuration>
>>> <executions>
>>> <execution>
>>> <id>make-assembly</id>
>>> <phase>package</phase>
>>> <goals>
>>> <goal>attached</goal>
>>> </goals>
>>> </execution>
>>> </executions>
>>> </plugin>
>>>
>>> This executes the assembly step during the package phase.
>>>
>>> 3) With copying the maven ant-run-plugin at the end of the POM the last
>>> step in the build is now the ant-run-plugin checksum task with the
>>> execution phase package.
>>>
>>> To run the assembly build just call
>>> mvn clean package
>>>
>>> This seems to work for me. Any insights, thoughts?
>>>
>>> -- Michael
>> The other solution would be to remove the signing from the Maven build
>> and add it to the sign.sh script like
>>
>> # Create MD5 checksums
>> for i in target/${release}*.zip; do md5sum --binary $i > $i.md5; done
>> for i in target/${release}*.gz; do md5sum --binary $i > $i.md5; done
>> for i in target/${release}*.bz2; do md5sum --binary $i > $i.md5; done
>>
>> # Create SHA1 checksums
>> for i in target/${release}*.zip; do sha1sum --binary $i > $i.sha1; done
>> for i in target/${release}*.gz; do sha1sum --binary $i > $i.sha1; done
>> for i in target/${release}*.bz2; do sha1sum --binary $i > $i.sha1; done
>>
>> This is easier, but I have to check if the Maven repository upload
>> signing still works.
>>
>> -- Michael
>
> The beauty of the ant approach is that you don't require any external
> programs. If we need to move the checksumming out of the regular
> build, then let's put it in a separate ant build file instead. Although
> I think it would be nice if we could convince maven to do things in
> the right order for us.
>
> --Thilo
>
Currently it seems that we have various ways on how to create checksums
and sign artifacts. I think the best approach would be to do all within
Maven so that we don't have any additional dependencies. I would suggest
to go with the sign.sh approach for now and try to find a better
solution after the release and treat all artifacts in the same way
(including for example the eclipse update site).
-- Michael
Re: artifact signing does not work properly
Posted by Thilo Goetz <tw...@gmx.de>.
Michael Baessler wrote:
> Michael Baessler wrote:
>> Michael Baessler wrote:
>>> I think your current artifact signing does not work properly when using
>>> the Maven build. I think it should work with the following command line
>>> mvn -DsignArtifacts=true clean assembly:assembly
>>>
>>> but it doesn't. For me it seems that the signing only works without
>>> using clean and with having already some artifacts in place. This is
>>> caused by the Maven life cycle. The output below shows that the signing
>>> (checksum) task is called before the artifacts are created.
>>>
>>> [INFO] Executed tasks
>>> [INFO] [antrun:run {execution: checksum}]
>>> [INFO] Executing tasks
>>> [INFO] Executed tasks
>>> [INFO] [assembly:assembly]
>>> [INFO] Building tar :
>>> D:\code\eclipse330\apache\uimaj-distr\target\uimaj-2.2.2-incubating-bin.tar.gz
>>>
>>> The POM executed the signing during the 'package' phase but
>>> assembly:assembly is executed afterwards. I will try to figure out if we
>>> can do the signing after the artifacts are created.
>>>
>>> Insights are welcome :-)
>>>
>>> -- Michael
>> So what about doing the following:
>>
>> 1) changing the phase for javadoc and docbook generation from 'package'
>> to 'compile' - this helps us doing these steps before package
>>
>> 2) change the maven-assembly-plugin like:
>> <plugin>
>> <artifactId>maven-assembly-plugin</artifactId>
>> <configuration>
>> <descriptors>
>> <descriptor>src/main/assembly/bin.xml</descriptor>
>> <descriptor>src/main/assembly/src.xml</descriptor>
>> </descriptors>
>> <finalName>uimaj-${uimaj-release-version}</finalName>
>> <tarLongFileMode>gnu</tarLongFileMode>
>> </configuration>
>> <executions>
>> <execution>
>> <id>make-assembly</id>
>> <phase>package</phase>
>> <goals>
>> <goal>attached</goal>
>> </goals>
>> </execution>
>> </executions>
>> </plugin>
>>
>> This executes the assembly step during the package phase.
>>
>> 3) With copying the maven ant-run-plugin at the end of the POM the last
>> step in the build is now the ant-run-plugin checksum task with the
>> execution phase package.
>>
>> To run the assembly build just call
>> mvn clean package
>>
>> This seems to work for me. Any insights, thoughts?
>>
>> -- Michael
> The other solution would be to remove the signing from the Maven build
> and add it to the sign.sh script like
>
> # Create MD5 checksums
> for i in target/${release}*.zip; do md5sum --binary $i > $i.md5; done
> for i in target/${release}*.gz; do md5sum --binary $i > $i.md5; done
> for i in target/${release}*.bz2; do md5sum --binary $i > $i.md5; done
>
> # Create SHA1 checksums
> for i in target/${release}*.zip; do sha1sum --binary $i > $i.sha1; done
> for i in target/${release}*.gz; do sha1sum --binary $i > $i.sha1; done
> for i in target/${release}*.bz2; do sha1sum --binary $i > $i.sha1; done
>
> This is easier, but I have to check if the Maven repository upload
> signing still works.
>
> -- Michael
The beauty of the ant approach is that you don't require any external
programs. If we need to move the checksumming out of the regular
build, then let's put it in a separate ant build file instead. Although
I think it would be nice if we could convince maven to do things in
the right order for us.
--Thilo
Re: artifact signing does not work properly
Posted by Michael Baessler <mb...@michael-baessler.de>.
Michael Baessler wrote:
> Michael Baessler wrote:
>> I think your current artifact signing does not work properly when using
>> the Maven build. I think it should work with the following command line
>> mvn -DsignArtifacts=true clean assembly:assembly
>>
>> but it doesn't. For me it seems that the signing only works without
>> using clean and with having already some artifacts in place. This is
>> caused by the Maven life cycle. The output below shows that the signing
>> (checksum) task is called before the artifacts are created.
>>
>> [INFO] Executed tasks
>> [INFO] [antrun:run {execution: checksum}]
>> [INFO] Executing tasks
>> [INFO] Executed tasks
>> [INFO] [assembly:assembly]
>> [INFO] Building tar :
>> D:\code\eclipse330\apache\uimaj-distr\target\uimaj-2.2.2-incubating-bin.tar.gz
>>
>> The POM executed the signing during the 'package' phase but
>> assembly:assembly is executed afterwards. I will try to figure out if we
>> can do the signing after the artifacts are created.
>>
>> Insights are welcome :-)
>>
>> -- Michael
> So what about doing the following:
>
> 1) changing the phase for javadoc and docbook generation from 'package'
> to 'compile' - this helps us doing these steps before package
>
> 2) change the maven-assembly-plugin like:
> <plugin>
> <artifactId>maven-assembly-plugin</artifactId>
> <configuration>
> <descriptors>
> <descriptor>src/main/assembly/bin.xml</descriptor>
> <descriptor>src/main/assembly/src.xml</descriptor>
> </descriptors>
> <finalName>uimaj-${uimaj-release-version}</finalName>
> <tarLongFileMode>gnu</tarLongFileMode>
> </configuration>
> <executions>
> <execution>
> <id>make-assembly</id>
> <phase>package</phase>
> <goals>
> <goal>attached</goal>
> </goals>
> </execution>
> </executions>
> </plugin>
>
> This executes the assembly step during the package phase.
>
> 3) With copying the maven ant-run-plugin at the end of the POM the last
> step in the build is now the ant-run-plugin checksum task with the
> execution phase package.
>
> To run the assembly build just call
> mvn clean package
>
> This seems to work for me. Any insights, thoughts?
>
> -- Michael
The other solution would be to remove the signing from the Maven build
and add it to the sign.sh script like
# Create MD5 checksums
for i in target/${release}*.zip; do md5sum --binary $i > $i.md5; done
for i in target/${release}*.gz; do md5sum --binary $i > $i.md5; done
for i in target/${release}*.bz2; do md5sum --binary $i > $i.md5; done
# Create SHA1 checksums
for i in target/${release}*.zip; do sha1sum --binary $i > $i.sha1; done
for i in target/${release}*.gz; do sha1sum --binary $i > $i.sha1; done
for i in target/${release}*.bz2; do sha1sum --binary $i > $i.sha1; done
This is easier, but I have to check if the Maven repository upload
signing still works.
-- Michael
Re: artifact signing does not work properly
Posted by Michael Baessler <mb...@michael-baessler.de>.
Thilo Goetz wrote:
> Michael Baessler wrote:
>> Michael Baessler wrote:
>>> I think your current artifact signing does not work properly when using
>>> the Maven build. I think it should work with the following command line
>>> mvn -DsignArtifacts=true clean assembly:assembly
>>>
>>> but it doesn't. For me it seems that the signing only works without
>>> using clean and with having already some artifacts in place. This is
>>> caused by the Maven life cycle. The output below shows that the signing
>>> (checksum) task is called before the artifacts are created.
>>>
>>> [INFO] Executed tasks
>>> [INFO] [antrun:run {execution: checksum}]
>>> [INFO] Executing tasks
>>> [INFO] Executed tasks
>>> [INFO] [assembly:assembly]
>>> [INFO] Building tar :
>>> D:\code\eclipse330\apache\uimaj-distr\target\uimaj-2.2.2-incubating-bin.tar.gz
>>>
>>>
>>> The POM executed the signing during the 'package' phase but
>>> assembly:assembly is executed afterwards. I will try to figure out if we
>>> can do the signing after the artifacts are created.
>>>
>>> Insights are welcome :-)
>>>
>>> -- Michael
>> So what about doing the following:
>>
>> 1) changing the phase for javadoc and docbook generation from 'package'
>> to 'compile' - this helps us doing these steps before package
>
> If this means that "mvn install" builds the docbooks, then -1. Takes
> long enough as it is.
>
This assembly build is in uimaj-distr not uimaj so it does not affect
the java build.
But as I already posted, I will do it with the signing script.
-- Michael
Re: artifact signing does not work properly
Posted by Thilo Goetz <tw...@gmx.de>.
Michael Baessler wrote:
> Michael Baessler wrote:
>> I think your current artifact signing does not work properly when using
>> the Maven build. I think it should work with the following command line
>> mvn -DsignArtifacts=true clean assembly:assembly
>>
>> but it doesn't. For me it seems that the signing only works without
>> using clean and with having already some artifacts in place. This is
>> caused by the Maven life cycle. The output below shows that the signing
>> (checksum) task is called before the artifacts are created.
>>
>> [INFO] Executed tasks
>> [INFO] [antrun:run {execution: checksum}]
>> [INFO] Executing tasks
>> [INFO] Executed tasks
>> [INFO] [assembly:assembly]
>> [INFO] Building tar :
>> D:\code\eclipse330\apache\uimaj-distr\target\uimaj-2.2.2-incubating-bin.tar.gz
>>
>> The POM executed the signing during the 'package' phase but
>> assembly:assembly is executed afterwards. I will try to figure out if we
>> can do the signing after the artifacts are created.
>>
>> Insights are welcome :-)
>>
>> -- Michael
> So what about doing the following:
>
> 1) changing the phase for javadoc and docbook generation from 'package'
> to 'compile' - this helps us doing these steps before package
If this means that "mvn install" builds the docbooks, then -1. Takes
long enough as it is.
>
> 2) change the maven-assembly-plugin like:
> <plugin>
> <artifactId>maven-assembly-plugin</artifactId>
> <configuration>
> <descriptors>
> <descriptor>src/main/assembly/bin.xml</descriptor>
> <descriptor>src/main/assembly/src.xml</descriptor>
> </descriptors>
> <finalName>uimaj-${uimaj-release-version}</finalName>
> <tarLongFileMode>gnu</tarLongFileMode>
> </configuration>
> <executions>
> <execution>
> <id>make-assembly</id>
> <phase>package</phase>
> <goals>
> <goal>attached</goal>
> </goals>
> </execution>
> </executions>
> </plugin>
>
> This executes the assembly step during the package phase.
>
> 3) With copying the maven ant-run-plugin at the end of the POM the last
> step in the build is now the ant-run-plugin checksum task with the
> execution phase package.
>
> To run the assembly build just call
> mvn clean package
>
> This seems to work for me. Any insights, thoughts?
>
> -- Michael
Re: artifact signing does not work properly
Posted by Michael Baessler <mb...@michael-baessler.de>.
Michael Baessler wrote:
> I think your current artifact signing does not work properly when using
> the Maven build. I think it should work with the following command line
> mvn -DsignArtifacts=true clean assembly:assembly
>
> but it doesn't. For me it seems that the signing only works without
> using clean and with having already some artifacts in place. This is
> caused by the Maven life cycle. The output below shows that the signing
> (checksum) task is called before the artifacts are created.
>
> [INFO] Executed tasks
> [INFO] [antrun:run {execution: checksum}]
> [INFO] Executing tasks
> [INFO] Executed tasks
> [INFO] [assembly:assembly]
> [INFO] Building tar :
> D:\code\eclipse330\apache\uimaj-distr\target\uimaj-2.2.2-incubating-bin.tar.gz
>
> The POM executed the signing during the 'package' phase but
> assembly:assembly is executed afterwards. I will try to figure out if we
> can do the signing after the artifacts are created.
>
> Insights are welcome :-)
>
> -- Michael
So what about doing the following:
1) changing the phase for javadoc and docbook generation from 'package'
to 'compile' - this helps us doing these steps before package
2) change the maven-assembly-plugin like:
<plugin>
<artifactId>maven-assembly-plugin</artifactId>
<configuration>
<descriptors>
<descriptor>src/main/assembly/bin.xml</descriptor>
<descriptor>src/main/assembly/src.xml</descriptor>
</descriptors>
<finalName>uimaj-${uimaj-release-version}</finalName>
<tarLongFileMode>gnu</tarLongFileMode>
</configuration>
<executions>
<execution>
<id>make-assembly</id>
<phase>package</phase>
<goals>
<goal>attached</goal>
</goals>
</execution>
</executions>
</plugin>
This executes the assembly step during the package phase.
3) With copying the maven ant-run-plugin at the end of the POM the last
step in the build is now the ant-run-plugin checksum task with the
execution phase package.
To run the assembly build just call
mvn clean package
This seems to work for me. Any insights, thoughts?
-- Michael