[GRADLE-1845] 'signing' plugin is incompatible with 'artifactory' plugin Created: 19/Oct/11  Updated: 10/Feb/17  Resolved: 10/Feb/17

Status: Resolved
Project: Gradle
Affects Version/s: None
Fix Version/s: None

Type: Bug
Reporter: Chris Beams Assignee: Unassigned
Resolution: Won't Fix Votes: 2


 Description   

From emails sent to support@gradleware.com and support@jfrog.com

On Oct 18, 2011, at 12:40 PM, Chris Beams wrote:

Greetings,

I'm having pretty fundamental problems using the 'artifactory' and 'signing' plugins together. The recent patch to GAP allows me to use the 'artifactory' plugin against Gradle 1.0m5, but once I actually introduce the 'signing' plugin (which is the whole point of upgrading to m5, actually), I get some unworkable results.

To reproduce this, I've just created a repository at https://github.com/cbeams/simple

It's not totally clear who's court this lands in, that's why I've emailed support for both Gradle and JFrog. Take a look at the three most recent commits and diffs there, they tell the tale. You should be able to actually check out and run each of those commits as described in the log messages. You'll need to replace https://internal-repo.springsource.org and supply the REPO_USERNAME and REPO_PASSWORD properties, however.

Thanks, C

$ git clone git@github.com:cbeams/simple.git
$ cd simple
$ git log -3
commit 6574c581ee72210d5645b3ef2e56495f5335dde2 (HEAD, origin/master, master)
Author: Chris Beams <cbeams@vmware.com>
Date:   Tue Oct 18 12:25:24 2011 -0700

  Demonstrate artifactoryPublish with signing and 'published' config

  $ ./gradlew clean build artifactoryPublish

  Publishes the following artifacts:

      simple-1.0.0-SNAPSHOT.pom
      ivy-1.0.0-SNAPSHOT.xml

  No jar, no jar.asc, no pom.asc.

commit ec4bc3d11754b638424c0fbf26880351f7005884
Author: Chris Beams <cbeams@vmware.com>
Date:   Tue Oct 18 12:23:13 2011 -0700

  Demonstrate artifactoryPublish with signing

  Publishes the following artifacts:

      simple-1.0.0-SNAPSHOT.pom
      simple-1.0.0-SNAPSHOT.jar
      simple-1.0.0-SNAPSHOT.jar.asc-1.0.0-SNAPSHOT.asc

  The latter is obviously not intended.

  Note that publishConfigs is still set to 'archives' in this scenario

commit 665920bbfdb5fb41a62ec84ea440d9e600cf8d3b
Author: Chris Beams <cbeams@vmware.com>
Date:   Tue Oct 18 12:21:49 2011 -0700

  Demonstrate artifactoryPublish without signing

  $ ./gradlew clean build artifactoryPublish

  Works as advertised, publishing the following artifacts:

      simple-1.0.0-SNAPSHOT.jar
      simple-1.0.0-SNAPSHOT.pom
      ivy-1.0.0-SNAPSHOT.xml

From email sent to Adam directly

On Oct 18, 2011, at 4:07 PM, Chris Beams wrote:

Hey Adam,

There another issue separate from the one that I've described below, but closely related to it. The way to sign poms looks like this:

uploadPublished {
	repositories.mavenDeployer {
		repository(url: "https://repo.whatev.org/reponame")
		beforeDeployment { deployment -> signPom(deployment) }
	}
}

However, when the 'artifactory' plugin is in the mix, the 'uploadPublished' task is going to be ignored. If I understand everything correctly, it's really the output of the 'install' task that matters. The artifactory plugin aggregates everything coming out of 'install' and then turns around and deploys it to artifactory.

That means that signing the pom needs to happen within 'install'. The problem is that (as far as I can tell), there is no way to get hold of a MavenDeployment object in order to sign the pom.

This means that currently, there is no way to sign a pom when using the artifactory plugin.

Is there something I've missed? If my analysis is correct (@Fred can confirm) just need a way to sign the pom artifact during the installation phase and add that .asc artifact to the 'signatures' configuration.



 Comments   
Comment by Benjamin Muschko [ 15/Nov/16 ]

As announced on the Gradle blog we are planning to completely migrate issues from JIRA to GitHub.

We intend to prioritize issues that are actionable and impactful while working more closely with the community. Many of our JIRA issues are inactionable or irrelevant. We would like to request your help to ensure we can appropriately prioritize JIRA issues you’ve contributed to.

Please confirm that you still advocate for your JIRA issue before December 10th, 2016 by:

  • Checking that your issues contain requisite context, impact, behaviors, and examples as described in our published guidelines.
  • Leave a comment on the JIRA issue or open a new GitHub issue confirming that the above is complete.

We look forward to collaborating with you more closely on GitHub. Thank you for your contribution to Gradle!

Comment by Benjamin Muschko [ 10/Feb/17 ]

Thanks again for reporting this issue. We haven't heard back from you after our inquiry from November 15th. We are closing this issue now. Please create an issue on GitHub if you still feel passionate about getting it resolved.

Generated at Wed Jun 30 12:05:55 CDT 2021 using Jira 8.4.2#804003-sha1:d21414fc212e3af190e92c2d2ac41299b89402cf.