Deploying to Maven Central Repository

Although publishing Maven artifacts to Maven Central Repository (aka Maven Central) is a big thing and well described on the Internet I have found this process hard to remember. So, this tutorial is a quick todo on how to publish something to Maven Central.


One cannot publish to Maven Central directly and should use some forge like Sonatype or Apache instead. Those forges sync their repositories with Maven Central every couple of hours.
So far I have used only Sonatype Forge as a gate to Maven Central and this tutorial is made with use this institution.
I am using maven as a most popular build system for Java but this is not mandatory.

Prepare your environment

Create account at Sonatype JIRA

Account at Sonatype will be needed for:
- proper authorization when deploying artifacts to Sonatype staging repository (from which your artifact will be migrated to Maven Central)
- placing a ticket for staging repository creation at Sonatype for Your artifact
The account can be created here.

Create GPG Key for signing artifacts

In the process of publishing your artifact to Maven Central you will have to sign your artifacts with a key. Thus You should have a gpg key generated and published to gpg key servers.
To generate your gpg key just enter following CLI commands. Please note that during this process you will be prompted to enter passprhase. Remember it - you will use it when releasing your artifact.
pbojko@daisy:~$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
You will be asked about kind of key (algorithm and use of the key), choose default
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
Choose, then, length of a key. I’ve chosed 2048, default value.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Choose validity period of the key. I’ve chosed that my key won’t expire. This is because of the nature of artifacts. Once published in Maven Central it is quite probable that they won’t be changed or redeployed, thus published artifact should be always valid for users and projects that depends on them.
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Give your name, and email. Your email and nickname dedicated for open source activities is strongly recommended :)
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Piotr Bojko
Email address: piotr.bojko@:):):).com
Comment: ptr.bojko
You selected this USER-ID:
    "Piotr Bojko (ptr.bojko) <piotr.bojko@:):):).com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
At the end of the process, you will be asked to produce some mouse and keyboard activies. Do some crazy things now :)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: key DD8D94FA marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/D18D94F7 2014-04-26
      Key fingerprint = 2s9i9 s2i9s2i 9si29 9 s92i9is2 9i9s2 9si9i
uid                  Piotr Bojko (ptr.bojko) <piotr.bojko@:):):).com>
sub   2048R/1B89A0C0 2014-04-26
Check whether the key exist in your gpg vault
pbojko@daisy:~$ gpg --list-keys
pub   2048R/DD8D94FA 2014-04-26
uid                  Piotr Bojko (ptr.bojko) <piotr.bojko@:):):).com>
sub   2048R/AAAAAAAA 2014-04-26
Now the big thing - publish your generated key to a key server. Note that public keys are synced among key servers, but it may take a while.
pbojko@daisy:~$  gpg --keyserver hkp://pool.sks-keyservers.net --send-keys DD8D94FA 
gpg: sending key D18D94F7 to hkp server pool.sks-keyservers.net

Prepare your maven artifact

Attach distribution management to your POM

You can either inherit distribution management info by adding oss-parent from sonatype…
… or use distritubionManagement section
I either of ways you should add your credentials to Sonatype created earlier. Just add them to You settings.xml file

Prepare to sign build

All files you will deploy to Maven Central should be signed. In order to achieve this you should add another section to your pom for signing all builded files. To limit signing only to time when you truly releasing to Maven Central - you can wrap signing into profile activated when perfomRelease happen.

Register your new artifact at Sonatype

Create a New Project ticket here - https://issues.sonatype.org/secure/CreateIssue.jspa?issuetype=21&pid=10134.
This is needed because folks from Sonatype will validate your groupId and other information you will be prompted to fullfill when creating the ticket. They will also prepare na appropriate folders at repository conforming given groupId.


This is almost end of our journey up to Maven Central Repository :) . There is only two steps to do: perform the release with maven to your staging repository at sonatype and validate/publish your build at sonatype.

mvn release

Kind of simple magic here:
mvn release:prepare
mvn release:perform
Just rember to properly assign version to your builded artifact and next snapshot version here. Before that you should also check whether you have proper connection url for your source version control at pom.xml, valid certifactes, and you rember your passphrase.

Validate and release your build and Sonatype

After releasing your artifact - it will be uploaded to your staging repository here - https://oss.sonatype.org/#stagingRepositories.
Log in to https://oss.sonatype.org with your Sonatype credentials (same as for theirs JIRA) and follow this quick tutorial on how to publish move your build from Sonatype staging repository to Maven Central


I You find that this way to publish something to Maven Central have too many steps or is too complicated - please consider using some third party services like bintray. Check it here http://blog.bintray.com/2014/02/11/bintray-as-pain-free-gateway-to-maven-central/