Versions Compared

Old Version 3

changes.mady.by.user Sara Lambert

Saved on

compared with

New Version 4

changes.mady.by.user Sara Lambert

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
$ docker run -it --rm -v $(pwd):/build -w /build maven:3-jdk-8 mvn clean install

Publishing Artifacts (Advanced)

To easily run your own test Nexus repository via Docker (untested):

Code Block
languagebash
$ docker run -d -p 8081:8081 --name nexus sonatype/nexus:oss

Open-Source Software Repository Hosting (OSSRH)

See http://central.sonatype.org/pages/ossrh-guide.html

For a more long-term solution for hosting your (open-source) Maven artifacts, you can follow these steps to deploy them to OSSRH.

They will even sync your released artifacts with Maven Central on your behalf.

In general, requirements are as follows:

...

.

...

...

  1. Project coordinates: groupId / artifactId / version
  2. Project name and description
  3. License information
  4. Developer information
  5. SCM information

...

  1. <repositories> tags
  2. <pluginRepositories> tags

Working with GPG Keys

See http://central.sonatype.org/pages/working-with-pgp-signatures.html

...

Then execute the following command to upload your public key:

Code Block
languagebash
$ gpg2gpg --keyserver hkp://pool.sks-keyservers.net --send-keys <YOUR_KEY_ID_WHICH_WILL_BE_FAIRLY_LONG>

where <YOUR_KEY_ID_WHICH_WILL_BE_FAIRLY_LONG> LONG> is pulled from the output above

...

To sign a file with your GPG key:

Code Block
languagebash
$ gpg2gpg -ab ir-utils-0.1.0.jar

NOTE: You will be asked to enter your GPG key's passphrase

This will output a .asc file that should be included with the file that produced it.

Verifying GPG Signatures

As a consumer, you can verify the authenticity of the Maven artifacts by using the gpg command line tool:

Code Block
languagebash
$ gpg --verify target/ir-utils-0.1.0.jar.asc
gpg: assuming signed data in 'target/ir-utils-0.1.0.jar'
gpg: Signature made Thu Jun  1 21:21:16 2017 CDT
gpg:                using RSA key <YOUR_KEY_ID_WHICH_WILL_BE_FAIRLY_LONG>
gpg: Good signature from "Craig Willis (https://github.com/craig-willis) <willis8@illinois.edu>" [ultimate]
gpg:                 aka "Garrick Sherman (https://github.com/gtsherman) <gsherma2@illinois.edu>" [ultimate]
gpg:                 aka "Mike Lambert (https://github.com/bodom0015) <lambert8@illinois.edu>" [ultimate]

This will output the signature data from the .asc file, which should give you some confidence that the artifacts were not modified or replaced by a malicious party.

Third-Party Dependencies

To publish a single SNAPSHOT artifact to a repository:

...

Staging a New Release

Syncing to Maven Central

See http://central.sonatype.org/pages/requirements.html

OSSRH will sync your released artifacts with Maven Central on your behalf, but still has Even OSSRH has a strict list of requirements for syncing artifacts synced to Maven Central.

In general, the requirements are as follows:

  1. Final bundle.jar must include:
    1. Project POM (i.e. pom.xml)
    2. Compiled JAR (i.e. ir-utils-0.1.0.jar)
    3. JavaDoc JAR (i.e. ir-utils-0.1.0-javadoc.jar)
    4. Sources JAR (i.e. ir-utils-0.1.0-sources.jar)
    5. GPG signatures for all of the above (i.e. ir-utils-0.1.0.jar.asc, ir-utils-0.1.0-javadoc.jar.asc, etc)
  2. Final pom.xml must include:
    1. Project coordinates: groupId / artifactId / version
    2. Project name and description
    3. License information
    4. Developer information
    5. SCM information
  3. Final pom.xml must NOT include:
    1. <repositories> tags
    2. <pluginRepositories> tags