...
Code Block | ||
---|---|---|
| ||
$ docker run -it --rm -v $(pwd):/build -w /build maven:3-jdk-8 mvn clean install |
Publishing Artifacts (Advanced)
To easily run your own test Nexus repository via Docker (untested):
Code Block | ||
---|---|---|
| ||
$ docker run -d -p 8081:8081 --name nexus sonatype/nexus:oss |
Open-Source Software Repository Hosting (OSSRH)
See http://central.sonatype.org/pages/ossrh-guide.html
For a more long-term solution for hosting your (open-source) Maven artifacts, you can follow these steps to deploy them to OSSRH.
They will even sync your released artifacts with Maven Central on your behalf.
In general, requirements are as follows:
...
.
...
...
- Project coordinates: groupId / artifactId / version
- Project name and description
- License information
- Developer information
- SCM information
...
- <repositories> tags
- <pluginRepositories> tags
Working with GPG Keys
See http://central.sonatype.org/pages/working-with-pgp-signatures.html
...
Then execute the following command to upload your public key:
Code Block | ||
---|---|---|
| ||
$ gpg2gpg --keyserver hkp://pool.sks-keyservers.net --send-keys <YOUR_KEY_ID_WHICH_WILL_BE_FAIRLY_LONG> |
where <YOUR_KEY_ID_WHICH_WILL_BE_FAIRLY_LONG> LONG> is pulled from the output above
...
To sign a file with your GPG key:
Code Block | ||
---|---|---|
| ||
$ gpg2gpg -ab ir-utils-0.1.0.jar |
NOTE: You will be asked to enter your GPG key's passphrase
This will output a .asc file that should be included with the file that produced it.
Verifying GPG Signatures
As a consumer, you can verify the authenticity of the Maven artifacts by using the gpg command line tool:
Code Block | ||
---|---|---|
| ||
$ gpg --verify target/ir-utils-0.1.0.jar.asc gpg: assuming signed data in 'target/ir-utils-0.1.0.jar' gpg: Signature made Thu Jun 1 21:21:16 2017 CDT gpg: using RSA key <YOUR_KEY_ID_WHICH_WILL_BE_FAIRLY_LONG> gpg: Good signature from "Craig Willis (https://github.com/craig-willis) <willis8@illinois.edu>" [ultimate] gpg: aka "Garrick Sherman (https://github.com/gtsherman) <gsherma2@illinois.edu>" [ultimate] gpg: aka "Mike Lambert (https://github.com/bodom0015) <lambert8@illinois.edu>" [ultimate] |
This will output the signature data from the .asc file, which should give you some confidence that the artifacts were not modified or replaced by a malicious party.
Third-Party Dependencies
To publish a single SNAPSHOT artifact to a repository:
...
Staging a New Release
Syncing to Maven Central
See http://central.sonatype.org/pages/requirements.html
OSSRH will sync your released artifacts with Maven Central on your behalf, but still has Even OSSRH has a strict list of requirements for syncing artifacts synced to Maven Central.
In general, the requirements are as follows:
- Final bundle.jar must include:
- Project POM (i.e. pom.xml)
- Compiled JAR (i.e. ir-utils-0.1.0.jar)
- JavaDoc JAR (i.e. ir-utils-0.1.0-javadoc.jar)
- Sources JAR (i.e. ir-utils-0.1.0-sources.jar)
- GPG signatures for all of the above (i.e. ir-utils-0.1.0.jar.asc, ir-utils-0.1.0-javadoc.jar.asc, etc)
- Final pom.xml must include:
- Project coordinates: groupId / artifactId / version
- Project name and description
- License information
- Developer information
- SCM information
- Final pom.xml must NOT include:
- <repositories> tags
- <pluginRepositories> tags