You are viewing a plain text version of this content. The canonical link for it is here.
Posted to repository@apache.org by Max Berger <ma...@berger.name> on 2008/09/28 21:41:12 UTC
Proper maven call to release artifacts?
Dear Repository maintainers,
What is the proper procedure to release maven artifacts to the
repository with the signatures in place? According to [1] both the pom
and jar must be signed. I currently use mvn gpg:sign-and-deploy-file
which signs the artifact (jar), but not the pom. I've requested an
enhancement [2], but is this the proper way to submit the artifacts?
Is there an easier method?
Thanks
Max
P.S. The process I'm using is described in [3], this may be of general
interest.
[1] http://people.apache.org/~henkp/repo/faq.html
[2] http://jira.codehaus.org/browse/MGPG-12
[3] http://mail-archives.apache.org/mod_mbox/xmlgraphics-general/200806.mbox/%3c14926A6B-CE16-4B37-8F9C-5114C6452AF7@berger.name%3e
Anfang der weitergeleiteten E-Mail:
>> Am 28.09.2008 um 11:40 schrieb Henk Penning:
>>> I keep an eye on the apache Maven repo, and I noticed that :
>>> -- you own 1 unsigned artifact
>>>
>> I have a question: I use
>>
>> mvn gpg:sign-and-deploy-file
>>
>> which signs and deployes the artifact, but not the pom.xml. Do you
>> know if there is a command to do both at the same time or do i have
>> to do this manually?
>
> Please do me a favor and ask this on 'repository@apache.org'
>
>> Max
>
> HPP
Re: Proper maven call to release artifacts?
Posted by Wendy Smoak <ws...@gmail.com>.
Assuming these aren't being built with Maven so that you could use the
Release plugin, the gpg plugin sign-and-deploy bit seems to be the
easiest way.
That feature was originally prompted by Tomcat needing to deploy their
Ant-built jars, though I don't know if they're using it. (Thanks for
opening the enhancement request, the poms do need to be signed and
that must have been missed.)
--
Wendy
On Sun, Sep 28, 2008 at 12:41 PM, Max Berger <ma...@berger.name> wrote:
> Dear Repository maintainers,
> What is the proper procedure to release maven artifacts to the repository
> with the signatures in place? According to [1] both the pom and jar must be
> signed. I currently use mvn gpg:sign-and-deploy-file which signs the
> artifact (jar), but not the pom. I've requested an enhancement [2], but is
> this the proper way to submit the artifacts? Is there an easier method?
> Thanks
> Max
> P.S. The process I'm using is described in [3], this may be of general
> interest.
> [1] http://people.apache.org/~henkp/repo/faq.html
> [2] http://jira.codehaus.org/browse/MGPG-12
> [3] http://mail-archives.apache.org/mod_mbox/xmlgraphics-general/200806.mbox/%3c14926A6B-CE16-4B37-8F9C-5114C6452AF7@berger.name%3e
Re: Proper maven call to release artifacts?
Posted by Brett Porter <br...@apache.org>.
Check out the gpg plugin config in the Maven parent POM:
http://svn.apache.org/viewvc/maven/pom/trunk/maven/pom.xml?revision=697630&view=markup
We have it in the release profile so that it is only attached during a
release.
Cheers,
Brett
On 29/09/2008, at 5:41 AM, Max Berger wrote:
> Dear Repository maintainers,
>
> What is the proper procedure to release maven artifacts to the
> repository with the signatures in place? According to [1] both the
> pom and jar must be signed. I currently use mvn gpg:sign-and-deploy-
> file which signs the artifact (jar), but not the pom. I've requested
> an enhancement [2], but is this the proper way to submit the
> artifacts? Is there an easier method?
>
> Thanks
>
> Max
>
> P.S. The process I'm using is described in [3], this may be of
> general interest.
>
> [1] http://people.apache.org/~henkp/repo/faq.html
> [2] http://jira.codehaus.org/browse/MGPG-12
> [3] http://mail-archives.apache.org/mod_mbox/xmlgraphics-general/200806.mbox/%3c14926A6B-CE16-4B37-8F9C-5114C6452AF7@berger.name%3e
>
> Anfang der weitergeleiteten E-Mail:
>>> Am 28.09.2008 um 11:40 schrieb Henk Penning:
>>>> I keep an eye on the apache Maven repo, and I noticed that :
>>>> -- you own 1 unsigned artifact
>>>>
>>> I have a question: I use
>>>
>>> mvn gpg:sign-and-deploy-file
>>>
>>> which signs and deployes the artifact, but not the pom.xml. Do you
>>> know if there is a command to do both at the same time or do i
>>> have to do this manually?
>>
>> Please do me a favor and ask this on 'repository@apache.org'
>>
>>> Max
>>
>> HPP
>
--
Brett Porter
brett@apache.org
http://blogs.exist.com/bporter/