[GRADLE-1172] Add PGP signature support to the maven plugin Created: 13/Oct/10 Updated: 04/Jan/13 Resolved: 15/Jul/11
|Reporter:||Joern Huxhorn||Assignee:||Luke Daley|
The Guide to uploading artifacts to the Central Repository lists PGP-Signatures as a requirement for inclusion in the Central Maven Repository.
I've implemented a basic PGP-Plugin in http://github.com/huxi/huxi-gradle-plugins/tree/master/pgp-gradle-plugin/ expecting those signatures to be optional. Feel free to use anything you like.
Since signatures are now a requirement for inclusion in the Central Maven Repository I think this functionality should be included in the maven plugin in a way that would sign all created artifacts before they are uploaded if signing is configured.
The only downside of an inclusion in the maven plugin instead of a separate plugin would be harder to sign distributions (Zip & Tar tasks), too.
|Comment by Joern Huxhorn [ 25/Oct/10 ]|
Sonatype OSS Maven Repository Usage Guide has also already listed PGP signatures as a requirement for syncing to the Central Repository, too.
I mention this since the PGP signature requirement isn't enforced very strictly so far. Existing repository syncs seem to work without signatures as far as I can tell.
The configuration used to deploy to the Sonatype OSS Maven Repository must be
and there is no other option, like rsync or ftp, available.
This means - if I don't miss anything - that the PGP signatures must really be created during gradle build and must also resemble artifacts deployed by uploadArtifacts.
Therefore, deploying to the Sonatype OSS Maven Repository isn't yet possible using Gradle.
|Comment by Luke Daley [ 15/Jul/11 ]|
This functionality has been added as the “signing” plugin in 1.0-milestone-4.