bundle-create creates jar making a preceding gpg:sign step invalid

Details

  • Type: Bug Bug
  • Status: Open Open
  • Priority: Major Major
  • Resolution: Unresolved
  • Affects Version/s: 2.3.1
  • Fix Version/s: None
  • Labels:
    None
  • Environment:
    Ubuntu 10.4, Sun Java 1.6.0_20, Maven 2.2.1

Description

Despite following instructions found here:
https://docs.sonatype.org/display/Repository/Uploading+3rd-party+Artifacts+to+Maven+Central
I ran into a problem uploading the bundle to Sonatype's Staging area. Specifically, I received an Invalid Signature error for the main jar artifact.

Sure enough, I ran the following: 

gpg --verify foo.jar.asc

and it confirmed that the signature was "BAD."

Upon further investigation, it would seem that the problem is that the repository:bundle-create goal is recreating the jar file, so the command:

mvn source:jar javadoc:jar package gpg:sign repository:bundle-create -Dgpg.passphrase=xx

seems to be creating the jar, signing it, and then creating the jar again – resulting in an invalid gpg signature for the jar.

Note that my pom does not include a gpg signing step – that is why it is part of the command line. My guess is that configuring the maven-gpg-plugin in the project pom may make this work – but I did not have the luxury of being able to do that this time.

The bundle-create goal needs to not recreate the jar file – just make the bundle. Or clarify the documentation.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Dennis Lundberg added a comment -

It seems that the docs at Sonatype are wrong.

From the plugin doc:

repository:bundle-create Invokes the execution of the lifecycle phase package prior to executing itself.

repository:bundle-pack might be a better choice for you.

Show
Dennis Lundberg added a comment - It seems that the docs at Sonatype are wrong. From the plugin doc:
repository:bundle-create Invokes the execution of the lifecycle phase package prior to executing itself.
repository:bundle-pack might be a better choice for you.
Hide
Permalink
Juven Xu added a comment -

yes, people can first build all the stuff and install them into local repository:

$ mvn clean source:jar javadoc:jar package gpg:sign install:install -Dgpg.passphrase=xx

then cd to another directory which does not has any pom.xml, pack the bundle

$ mvn repository:bundle-pack

[INFO] --- maven-repository-plugin:2.3.1:bundle-pack (default-cli) @ standalone-pom ---
[INFO] groupId? 
org.sonatype
[INFO] artifactId? 
bundle
[INFO] version? 
1.0-SNAPSHOT

note that you have to manually specify the GAV of your project, that's how repository:bundle-pack works

I tried the cmd in our doc in a test project, the signature is correct even the jar was recreated, I agree it's a problem anyway, but the correct solution above is still a problem IMO, specifying GAV manually seems needless in this situation.

So, if maven-repository-plugin can provide a goal to only pack artifacts from project target, that's would be best

Show
Juven Xu added a comment - yes, people can first build all the stuff and install them into local repository: 
$ mvn clean source:jar javadoc:jar package gpg:sign install:install -Dgpg.passphrase=xx
then cd to another directory which does not has any pom.xml, pack the bundle 
$ mvn repository:bundle-pack

[INFO] --- maven-repository-plugin:2.3.1:bundle-pack (default-cli) @ standalone-pom ---
[INFO] groupId? 
org.sonatype
[INFO] artifactId? 
bundle
[INFO] version? 
1.0-SNAPSHOT
note that you have to manually specify the GAV of your project, that's how repository:bundle-pack works I tried the cmd in our doc in a test project, the signature is correct even the jar was recreated, I agree it's a problem anyway, but the correct solution above is still a problem IMO, specifying GAV manually seems needless in this situation. So, if maven-repository-plugin can provide a goal to only pack artifacts from project target, that's would be best

People

  • Assignee:
    Unassigned
    Reporter:
    Anthony Whitford
Vote (1)
Watch (3)

Dates

  • Created:
    Updated: