From emails sent to support@gradleware.com and support@jfrog.com

On Oct 18, 2011, at 12:40 PM, Chris Beams wrote:

Greetings,

I'm having pretty fundamental problems using the 'artifactory' and 'signing' plugins together. The recent patch to GAP allows me to use the 'artifactory' plugin against Gradle 1.0m5, but once I actually introduce the 'signing' plugin (which is the whole point of upgrading to m5, actually), I get some unworkable results.

To reproduce this, I've just created a repository at https://github.com/cbeams/simple

It's not totally clear who's court this lands in, that's why I've emailed support for both Gradle and JFrog. Take a look at the three most recent commits and diffs there, they tell the tale. You should be able to actually check out and run each of those commits as described in the log messages. You'll need to replace https://internal-repo.springsource.org and supply the REPO_USERNAME and REPO_PASSWORD properties, however.

Thanks, C

$ git clone git@github.com:cbeams/simple.git
$ cd simple
$ git log -3
commit 6574c581ee72210d5645b3ef2e56495f5335dde2 (HEAD, origin/master, master)
Author: Chris Beams <cbeams@vmware.com>
Date:   Tue Oct 18 12:25:24 2011 -0700

  Demonstrate artifactoryPublish with signing and 'published' config

  $ ./gradlew clean build artifactoryPublish

  Publishes the following artifacts:

      simple-1.0.0-SNAPSHOT.pom
      ivy-1.0.0-SNAPSHOT.xml

  No jar, no jar.asc, no pom.asc.

commit ec4bc3d11754b638424c0fbf26880351f7005884
Author: Chris Beams <cbeams@vmware.com>
Date:   Tue Oct 18 12:23:13 2011 -0700

  Demonstrate artifactoryPublish with signing

  Publishes the following artifacts:

      simple-1.0.0-SNAPSHOT.pom
      simple-1.0.0-SNAPSHOT.jar
      simple-1.0.0-SNAPSHOT.jar.asc-1.0.0-SNAPSHOT.asc

  The latter is obviously not intended.

  Note that publishConfigs is still set to 'archives' in this scenario

commit 665920bbfdb5fb41a62ec84ea440d9e600cf8d3b
Author: Chris Beams <cbeams@vmware.com>
Date:   Tue Oct 18 12:21:49 2011 -0700

  Demonstrate artifactoryPublish without signing

  $ ./gradlew clean build artifactoryPublish

  Works as advertised, publishing the following artifacts:

      simple-1.0.0-SNAPSHOT.jar
      simple-1.0.0-SNAPSHOT.pom
      ivy-1.0.0-SNAPSHOT.xml

From email sent to Adam directly

On Oct 18, 2011, at 4:07 PM, Chris Beams wrote:

Hey Adam,

There another issue separate from the one that I've described below, but closely related to it. The way to sign poms looks like this:

uploadPublished {
	repositories.mavenDeployer {
		repository(url: "https://repo.whatev.org/reponame")
		beforeDeployment { deployment -> signPom(deployment) }
	}
}

However, when the 'artifactory' plugin is in the mix, the 'uploadPublished' task is going to be ignored. If I understand everything correctly, it's really the output of the 'install' task that matters. The artifactory plugin aggregates everything coming out of 'install' and then turns around and deploys it to artifactory.

That means that signing the pom needs to happen within 'install'. The problem is that (as far as I can tell), there is no way to get hold of a MavenDeployment object in order to sign the pom.

This means that currently, there is no way to sign a pom when using the artifactory plugin.

Is there something I've missed? If my analysis is correct (@Fred can confirm) just need a way to sign the pom artifact during the installation phase and add that .asc artifact to the 'signatures' configuration.