Maven “deploy” causes code to be rebuilt after a signing operation (BAD signature)

Question

Maven “deploy” causes code to be rebuilt after a signing operation (BAD signature)

I want to deploy an artifact to the Sonatype OSS repository.

When deployed using the following command, signatures are invalid.

mvn clean source:jar javadoc:jar install gpg:sign deploy

> gpg --verify  target/security-versions-1.0.1.jar.asc
gpg: assuming signed data in 'target/security-versions-1.0.1.jar'
gpg: Signature made 10/20/15 11:45:50 Eastern Daylight Time using RSA key ID 63E38ACF
gpg: BAD signature from "Philippe Arteau <philippe.arteau@gmail.com>" [ultimate]

If I remove the deployment target, signatures will be helpful.

mvn clean source:jar javadoc:jar install gpg:sign

> gpg --verify  target/security-versions-1.0.1.jar.asc
gpg: assuming signed data in 'target/security-versions-1.0.1.jar'
gpg: Signature made 10/20/15 11:54:34 Eastern Daylight Time using RSA key ID 63E38ACF
gpg: Good signature from "Philippe Arteau <philippe.arteau@gmail.com>" [ultimate]

I understand that after the operation with the symbols the cans were packed a second time . How can I deploy without compromising signatures?

Problematic operations:

[INFO] --- maven-gpg-plugin:1.5:sign (default-cli) @ security-versions ---

You need a passphrase to unlock the secret key for
user: "Philippe Arteau <philippe.arteau@gmail.com>"
4096-bit RSA key, ID 63E38ACF, created 2013-05-12

[...]

[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ security-versions ---
[INFO] Building jar: C:\Code\workspace-java\maven-security-versions\target\security-versions-1.0.1.jar
[INFO]
[INFO] --- maven-plugin-plugin:3.2:addPluginArtifactMetadata (default-addPluginArtifactMetadata) @ security-versions ---
[INFO]
[INFO] --- maven-source-plugin:2.2.1:jar-no-fork (default) @ security-versions ---
[INFO] Building jar: C:\Code\workspace-java\maven-security-versions\target\security-versions-1.0.1-sources.jar

The second part should not be executed, since compilation and packaging already exist.

+4

java maven deployment gnupg

h3xStream Oct 20 '15 at 16:09

source share

2 answers

ltalhouarne · Answer 1 · 2015-10-20T16:16:16+0000

install deploy. .

deploy. .

h3xStream · Answer 2 · 2015-10-20T22:40:35+0000

, XML pom.xml.

<build>
    <plugins>
        <plugin>
            <inherited>true</inherited>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-deploy-plugin</artifactId>
            <version>2.8.2</version>
            <configuration>
                <updateReleaseInfo>true</updateReleaseInfo>
            </configuration>
            <executions>
                <execution>
                    <goals>
                        <goal>deploy</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-gpg-plugin</artifactId>
            <version>1.6</version>
            <executions>
                <execution>
                    <id>sign-artifacts</id>
                    <goals>
                        <goal>sign</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

. , , , .

: mvn clean source:jar javadoc:jar deploy (: )

Caveat

, gpg: maven-deploy-plugin.

, / / . (mvn clean source:jar javadoc:jar verify install gpg:sign deploy) 4 ( ..).

-

oss-parent gpg: - .

Maven “deploy” causes code to be rebuilt after a signing operation (BAD signature)

Caveat

-

More articles: