AssumptionsOne cannot publish to Maven Central directly and should use some forge like Sonatype or Apache instead. Those forges sync their repositories with Maven Central every couple of hours.
So far I have used only Sonatype Forge as a gate to Maven Central and this tutorial is made with use this institution.
I am using maven as a most popular build system for Java but this is not mandatory.
Prepare your environment
Create account at Sonatype JIRAAccount at Sonatype will be needed for:
- proper authorization when deploying artifacts to Sonatype staging repository (from which your artifact will be migrated to Maven Central)
- placing a ticket for staging repository creation at Sonatype for Your artifact
The account can be created here.
Create GPG Key for signing artifactsIn the process of publishing your artifact to Maven Central you will have to sign your artifacts with a key. Thus You should have a gpg key generated and published to gpg key servers.
To generate your gpg key just enter following CLI commands. Please note that during this process you will be prompted to enter passprhase. Remember it - you will use it when releasing your artifact.
You will be asked about kind of key (algorithm and use of the key), choose default
pbojko@daisy:~$ gpg --gen-key gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Choose, then, length of a key. I’ve chosed 2048, default value.
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
Choose validity period of the key. I’ve chosed that my key won’t expire. This is because of the nature of artifacts. Once published in Maven Central it is quite probable that they won’t be changed or redeployed, thus published artifact should be always valid for users and projects that depends on them.
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years
Give your name, and email. Your email and nickname dedicated for open source activities is strongly recommended :)
Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y
At the end of the process, you will be asked to produce some mouse and keyboard activies. Do some crazy things now :)
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <email@example.com>" Real name: Piotr Bojko Email address: piotr.bojko@:):):).com Comment: ptr.bojko You selected this USER-ID: "Piotr Bojko (ptr.bojko) <piotr.bojko@:):):).com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key.
Check whether the key exist in your gpg vault
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key DD8D94FA marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/D18D94F7 2014-04-26 Key fingerprint = 2s9i9 s2i9s2i 9si29 9 s92i9is2 9i9s2 9si9i uid Piotr Bojko (ptr.bojko) <piotr.bojko@:):):).com> sub 2048R/1B89A0C0 2014-04-26
Now the big thing - publish your generated key to a key server. Note that public keys are synced among key servers, but it may take a while.
pbojko@daisy:~$ gpg --list-keys /home/pbojko/.gnupg/pubring.gpg ------------------------------- pub 2048R/DD8D94FA 2014-04-26 uid Piotr Bojko (ptr.bojko) <piotr.bojko@:):):).com> sub 2048R/AAAAAAAA 2014-04-26
pbojko@daisy:~$ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys DD8D94FA gpg: sending key D18D94F7 to hkp server pool.sks-keyservers.net
Prepare your maven artifact
Attach distribution management to your POMYou can either inherit distribution management info by adding oss-parent from sonatype…
… or use distritubionManagement section
<parent> <groupId>org.sonatype.oss</groupId> <artifactId>oss-parent</artifactId> <version>9</version> </parent>
I either of ways you should add your credentials to Sonatype created earlier. Just add them to You settings.xml file
<distributionManagement> <snapshotRepository> <id>ossrh</id> <url>https://oss.sonatype.org/content/repositories/snapshots</url> </snapshotRepository> <repository> <id>ossrh</id> <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url> </repository> </distributionManagement>
<server> <id>ossrh</id> <username>your-login-at-sonatype</username> <password>your-password-at-sonatype</password> </server>
Prepare to sign buildAll files you will deploy to Maven Central should be signed. In order to achieve this you should add another section to your pom for signing all builded files. To limit signing only to time when you truly releasing to Maven Central - you can wrap signing into profile activated when perfomRelease happen.
<profiles> <profile> <id>release-sign-artifacts</id> <activation> <property> <name>performRelease</name> <value>true</value> </property> </activation> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> <version>1.4</version> <executions> <execution> <id>sign-artifacts</id> <phase>verify</phase> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin> </plugins> </build> </profile> </profiles>
Register your new artifact at SonatypeCreate a New Project ticket here - https://issues.sonatype.org/secure/CreateIssue.jspa?issuetype=21&pid=10134.
This is needed because folks from Sonatype will validate your groupId and other information you will be prompted to fullfill when creating the ticket. They will also prepare na appropriate folders at repository conforming given groupId.
Release!This is almost end of our journey up to Maven Central Repository :) . There is only two steps to do: perform the release with maven to your staging repository at sonatype and validate/publish your build at sonatype.
mvn releaseKind of simple magic here:
Just rember to properly assign version to your builded artifact and next snapshot version here. Before that you should also check whether you have proper connection url for your source version control at pom.xml, valid certifactes, and you rember your passphrase.
mvn release:prepare mvn release:perform
Validate and release your build and SonatypeAfter releasing your artifact - it will be uploaded to your staging repository here - https://oss.sonatype.org/#stagingRepositories.
Log in to https://oss.sonatype.org with your Sonatype credentials (same as for theirs JIRA) and follow this quick tutorial on how to publish move your build from Sonatype staging repository to Maven Central