[GRADLE-1172] Add PGP signature support to the maven plugin Created: 13/Oct/10  Updated: 04/Jan/13  Resolved: 15/Jul/11

Status: Resolved
Project: Gradle
Affects Version/s: 0.9
Fix Version/s: 1.0-milestone-4

Type: New Feature
Reporter: Joern Huxhorn Assignee: Luke Daley
Resolution: Fixed Votes: 1

Issue Links:
dependent
dependent by GRADLE-1035 Provide a 'maven central' plugin to e... Resolved

 Description   

The Guide to uploading artifacts to the Central Repository lists PGP-Signatures as a requirement for inclusion in the Central Maven Repository.

I've implemented a basic PGP-Plugin in http://github.com/huxi/huxi-gradle-plugins/tree/master/pgp-gradle-plugin/ expecting those signatures to be optional. Feel free to use anything you like.

Since signatures are now a requirement for inclusion in the Central Maven Repository I think this functionality should be included in the maven plugin in a way that would sign all created artifacts before they are uploaded if signing is configured.

The only downside of an inclusion in the maven plugin instead of a separate plugin would be harder to sign distributions (Zip & Tar tasks), too.
That's another feature that I'd really like to have.



 Comments   
Comment by Joern Huxhorn [ 25/Oct/10 ]

Sonatype OSS Maven Repository Usage Guide has also already listed PGP signatures as a requirement for syncing to the Central Repository, too.

See 6. Central Sync Requirement.

I mention this since the PGP signature requirement isn't enforced very strictly so far. Existing repository syncs seem to work without signatures as far as I can tell.

The configuration used to deploy to the Sonatype OSS Maven Repository must be

<distributionManagement>
	<snapshotRepository>
		<id>sonatype-nexus-snapshots</id>
		<name>Sonatype Nexus Snapshots</name>
		<url>https://oss.sonatype.org/content/repositories/snapshots/</url>
	</snapshotRepository>
	<repository>
		<id>sonatype-nexus-staging</id>
		<name>Nexus Release Repository</name>
		<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
	</repository>
</distributionManagement>

and there is no other option, like rsync or ftp, available.

This means - if I don't miss anything - that the PGP signatures must really be created during gradle build and must also resemble artifacts deployed by uploadArtifacts.

Therefore, deploying to the Sonatype OSS Maven Repository isn't yet possible using Gradle.

Comment by Luke Daley [ 15/Jul/11 ]

This functionality has been added as the “signing” plugin in 1.0-milestone-4.

Generated at Wed Jun 30 11:48:48 CDT 2021 using Jira 8.4.2#804003-sha1:d21414fc212e3af190e92c2d2ac41299b89402cf.