All geek questions in one place

How to sign maven publications with gradle

Is there a build.gradle script that uses the new publish plugin:

 apply plugin: 'java' apply plugin: 'groovy' apply plugin: 'signing' apply plugin: 'maven-publish' // ... publishing { publications { maven(MavenPublication) { from components.java artifact sourcesJar { classifier 'source' } } } repositories { maven { name 'Temporary' url "file://${rootProject.buildDir}/repo" } } } signing { sign configurations.archives }

So the questions are:

  • How to sign maven pom?
  • How to publish signatures in maven repository?
+6
source share
2 answers

The new, incubating maven-publish plugin does not yet support subscription.

+6
source

While it is supported, it is not officially supported , however, you can download signed artifacts using signing and the maven-publish plugin.

First we set up our signature section as usual:

 apply plugin: 'signing' signing { sign configurations.archives }

This will sign the project archive. To sign the POM created by the maven-publish plugin, a sign task is added:

 task signPom(type: Sign) { sign project.file('build/publications/maven/pom-default.xml') outputs.upToDateWhen { false } // the signing plugin does not seem to notice // it when the publications folder with the // signature has been deleted. So we always // create a new signature }

It is impossible to simply add the sign generatePomFileForMavenPublication line before signing , because the maven-plublish plugin uses support for late configuration , which means that the task to create pom is not available when setting up the signature section.

Now we have all the signature files that we need. We only need to add them to the publication:

 apply plugin: 'maven-publish' publishing { publications { maven(MavenPublication) { from components.java project.tasks.withType(Sign) { signatures.all { def type = it.type if (it.file.name.endsWith('.tar.gz.asc')) { // Workaround in case a tar.gz file should published type = 'tar.gz.asc' } else if (it.type.equals('xml.asc')) { // Set correct extension for signature of pom file type = 'pom.asc' } artifact source: it.file, classifier: it.classifier ?: null, extension: type } } pom.withXml { // The pom can be enriched as usual } } } }

This takes all the signature files created by the assembly and adds them as artifacts to the publication. To write the pom file correctly, the xml.asc file extension must be replaced with pom.asc (the maven-publish plugin stores pom locally as pom-default.xml).

When all the tasks are there and connected to each other, the last thing to do is to configure the dependencies in the model:

 model { tasks.publishMavenPublicationToMavenLocal { dependsOn project.tasks.withType(Sign) } tasks.publishMavenPublicationToNexusLocalSnapshotsRepository { dependsOn project.tasks.withType(Sign) } tasks.signPom { dependsOn tasks.generatePomFileForMavenPublication } }

The name of the second task depends on the name of the repository in publications.repository . The mine is called "NexusLocalSnapshots".

The only drawback of this approach is that for each signature file, md5 and the checksum file are sha1. This does not seem to be a problem for the repository manager, though (tested locally with Nexus 3).

+2
source

Source: https://habr.com/ru/post/945051/

More articles:


All Articles