Maven 2.x and 3.x GPG Plugin

Site descriptor does not get signed

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Blocker Blocker
  • Resolution: Won't Fix
  • Affects Version/s: 1.0-alpha-4
  • Fix Version/s: None
  • Component/s: None
  • Labels:
    None
  • Number of attachments :
    0

Description

When the site descriptor is an attached artifact, the GPG signature is not generated.

Steps to reproduce:

svn co https://svn.apache.org/repos/asf/maven/surefire/tags/surefire-2.5@898285 surefire-2.5
cd surefire-2.5
mvn site:attach-descriptor gpg:sign -Papache-release -N
ls target/*.asc

if there is a surefire-2.5-site.xml.asc then this bug is fixed.

Issue Links

This issue relates to:
MSITE-478 Attach site descriptor as an artifact, not metadata, to the project Major Closed
This issue is related to:
MGPG-12 sign-and-deploy does not sign pom.xml Major Closed

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Dennis Lundberg added a comment -

I had a look at how the Site Plugin attaches the descriptor. It is attached as metadata to the artifact - not as an attached artifact. ArtifactMetadata has no accessors to any File object, but ProjectArtifactMetadata has a private variable that holds a File. That private variable is used to copy the file to the local repository during install, but again it is private.

Without a file we can't sign it AFAICT. If we install the site descriptor into the local repository before we try to sign it, we should be able to access it from the local repo. But I'm not sure how well that works with the life cycle. I think it's a chicken-and-egg problem.

Show
Dennis Lundberg added a comment - I had a look at how the Site Plugin attaches the descriptor. It is attached as metadata to the artifact - not as an attached artifact. ArtifactMetadata has no accessors to any File object, but ProjectArtifactMetadata has a private variable that holds a File. That private variable is used to copy the file to the local repository during install, but again it is private. Without a file we can't sign it AFAICT. If we install the site descriptor into the local repository before we try to sign it, we should be able to access it from the local repo. But I'm not sure how well that works with the life cycle. I think it's a chicken-and-egg problem.
Hide
Permalink
Brett Porter added a comment -

it should be getting into the local repository first, as that's how the deploy mechanism works. However, that'd be a one off solution - sounds like a Maven issue that the metadata can't be enumerated. Perhaps it is better to change the site plugin to attach it as an artifact instead (it probably should be anyway?)

Show
Brett Porter added a comment - it should be getting into the local repository first, as that's how the deploy mechanism works. However, that'd be a one off solution - sounds like a Maven issue that the metadata can't be enumerated. Perhaps it is better to change the site plugin to attach it as an artifact instead (it probably should be anyway?)
Hide
Permalink
Michael Heuer added a comment -

Is there a workaround for this problem? This is preventing me from being able to stage in Nexus, see

https://issues.sonatype.org/browse/OSSRH-321

Show
Michael Heuer added a comment - Is there a workaround for this problem? This is preventing me from being able to stage in Nexus, see https://issues.sonatype.org/browse/OSSRH-321
Hide
Permalink
Benjamin Bentmann added a comment -

Is there a workaround for this problem?

You can still manually sign and deploy the file.

Show
Benjamin Bentmann added a comment -
Is there a workaround for this problem?
You can still manually sign and deploy the file.
Hide
Permalink
Dennis Lundberg added a comment -

I've applied a fix to version 2.1.1-SNAPSHOT of the Site Plugin. The IT for the attach-descriptor mojo was expanded and passes. Stephen's Surefire example also works for me with that version. However since this is a change in the Site Plugin's behavior we need as many testers as possible. Report your findings either in this issue or better in MSITE-478.

Show
Dennis Lundberg added a comment - I've applied a fix to version 2.1.1-SNAPSHOT of the Site Plugin. The IT for the attach-descriptor mojo was expanded and passes. Stephen's Surefire example also works for me with that version. However since this is a change in the Site Plugin's behavior we need as many testers as possible. Report your findings either in this issue or better in MSITE-478.
Hide
Permalink
Benjamin Bentmann added a comment -

Out of scope for the GPG Plugin itself, added a FAQ mentioning the requirement to update the Site Plugin instead.

Show
Benjamin Bentmann added a comment - Out of scope for the GPG Plugin itself, added a FAQ mentioning the requirement to update the Site Plugin instead.

People

Vote (3)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.