[#GRADLE-1172] Add PGP signature support to the maven plugin - Gradle

Details

Type: New Feature
Status: Resolved
Resolution: Fixed
Affects Version/s: 0.9
Fix Version/s: 1.0-milestone-4

Description

The Guide to uploading artifacts to the Central Repository lists PGP-Signatures as a requirement for inclusion in the Central Maven Repository.

I've implemented a basic PGP-Plugin in http://github.com/huxi/huxi-gradle-plugins/tree/master/pgp-gradle-plugin/ expecting those signatures to be optional. Feel free to use anything you like.

Since signatures are now a requirement for inclusion in the Central Maven Repository I think this functionality should be included in the maven plugin in a way that would sign all created artifacts before they are uploaded if signing is configured.

The only downside of an inclusion in the maven plugin instead of a separate plugin would be harder to sign distributions (Zip & Tar tasks), too.
That's another feature that I'd really like to have.

Issue Links

dependent by

GRADLE-1035 Provide a 'maven central' plugin to ease deployment of artifacts and ensure well-formed poms

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Joern Huxhorn added a comment - 25/Oct/10 4:37 PM

Sonatype OSS Maven Repository Usage Guide has also already listed PGP signatures as a requirement for syncing to the Central Repository, too.

See 6. Central Sync Requirement.

I mention this since the PGP signature requirement isn't enforced very strictly so far. Existing repository syncs seem to work without signatures as far as I can tell.

The configuration used to deploy to the Sonatype OSS Maven Repository must be

<distributionManagement>
	<snapshotRepository>
		<id>sonatype-nexus-snapshots</id>
		<name>Sonatype Nexus Snapshots</name>
		<url>https://oss.sonatype.org/content/repositories/snapshots/</url>
	</snapshotRepository>
	<repository>
		<id>sonatype-nexus-staging</id>
		<name>Nexus Release Repository</name>
		<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
	</repository>
</distributionManagement>

and there is no other option, like rsync or ftp, available.

This means - if I don't miss anything - that the PGP signatures must really be created during gradle build and must also resemble artifacts deployed by uploadArtifacts.

Therefore, deploying to the Sonatype OSS Maven Repository isn't yet possible using Gradle.

Show

Joern Huxhorn added a comment - 25/Oct/10 4:37 PM Sonatype OSS Maven Repository Usage Guide has also already listed PGP signatures as a requirement for syncing to the Central Repository, too. See 6. Central Sync Requirement. I mention this since the PGP signature requirement isn't enforced very strictly so far. Existing repository syncs seem to work without signatures as far as I can tell. The configuration used to deploy to the Sonatype OSS Maven Repository must be

<distributionManagement>
	<snapshotRepository>
		<id>sonatype-nexus-snapshots</id>
		<name>Sonatype Nexus Snapshots</name>
		<url>https://oss.sonatype.org/content/repositories/snapshots/</url>
	</snapshotRepository>
	<repository>
		<id>sonatype-nexus-staging</id>
		<name>Nexus Release Repository</name>
		<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
	</repository>
</distributionManagement>

and there is no other option, like rsync or ftp, available. This means - if I don't miss anything - that the PGP signatures must really be created during gradle build and must also resemble artifacts deployed by uploadArtifacts. Therefore, deploying to the Sonatype OSS Maven Repository isn't yet possible using Gradle.

Hide

Permalink

Luke Daley added a comment - 15/Jul/11 2:30 AM

This functionality has been added as the “signing” plugin in 1.0-milestone-4.

Show

Luke Daley added a comment - 15/Jul/11 2:30 AM This functionality has been added as the “signing” plugin in 1.0-milestone-4.

Add PGP signature support to the maven plugin

Details

Description

Issue Links

Activity

People

Dates