Assumptions
One cannot publish to Maven Central directly and should use some forge like Sonatype or Apache instead. Those forges sync their repositories with Maven Central every couple of hours.So far I have used only Sonatype Forge as a gate to Maven Central and this tutorial is made with use this institution.
I am using maven as a most popular build system for Java but this is not mandatory.
Prepare your environment
Create account at Sonatype JIRA
Account at Sonatype will be needed for:- proper authorization when deploying artifacts to Sonatype staging repository (from which your artifact will be migrated to Maven Central)
- placing a ticket for staging repository creation at Sonatype for Your artifact
The account can be created here.
Create GPG Key for signing artifacts
In the process of publishing your artifact to Maven Central you will have to sign your artifacts with a key. Thus You should have a gpg key generated and published to gpg key servers.To generate your gpg key just enter following CLI commands. Please note that during this process you will be prompted to enter passprhase. Remember it - you will use it when releasing your artifact.
pbojko@daisy:~$ gpg --gen-key
gpg (GnuPG) 1.4.16; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n yearsKey is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) yYou need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Piotr Bojko
Email address: piotr.bojko@:):):).com
Comment: ptr.bojko
You selected this USER-ID:
"Piotr Bojko (ptr.bojko) <piotr.bojko@:):):).com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key DD8D94FA marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/D18D94F7 2014-04-26
Key fingerprint = 2s9i9 s2i9s2i 9si29 9 s92i9is2 9i9s2 9si9i
uid Piotr Bojko (ptr.bojko) <piotr.bojko@:):):).com>
sub 2048R/1B89A0C0 2014-04-26pbojko@daisy:~$ gpg --list-keys
/home/pbojko/.gnupg/pubring.gpg
-------------------------------
pub 2048R/DD8D94FA 2014-04-26
uid Piotr Bojko (ptr.bojko) <piotr.bojko@:):):).com>
sub 2048R/AAAAAAAA 2014-04-26pbojko@daisy:~$ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys DD8D94FA
gpg: sending key D18D94F7 to hkp server pool.sks-keyservers.netPrepare your maven artifact
Attach distribution management to your POM
You can either inherit distribution management info by adding oss-parent from sonatype…<parent>
<groupId>org.sonatype.oss</groupId>
<artifactId>oss-parent</artifactId>
<version>9</version>
</parent><distributionManagement>
<snapshotRepository>
<id>ossrh</id>
<url>https://oss.sonatype.org/content/repositories/snapshots</url>
</snapshotRepository>
<repository>
<id>ossrh</id>
<url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
</repository>
</distributionManagement><server>
<id>ossrh</id>
<username>your-login-at-sonatype</username>
<password>your-password-at-sonatype</password>
</server>Prepare to sign build
All files you will deploy to Maven Central should be signed. In order to achieve this you should add another section to your pom for signing all builded files. To limit signing only to time when you truly releasing to Maven Central - you can wrap signing into profile activated when perfomRelease happen.<profiles>
<profile>
<id>release-sign-artifacts</id>
<activation>
<property>
<name>performRelease</name>
<value>true</value>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.4</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>Register your new artifact at Sonatype
Create a New Project ticket here - https://issues.sonatype.org/secure/CreateIssue.jspa?issuetype=21&pid=10134.This is needed because folks from Sonatype will validate your groupId and other information you will be prompted to fullfill when creating the ticket. They will also prepare na appropriate folders at repository conforming given groupId.
Release!
This is almost end of our journey up to Maven Central Repository :) . There is only two steps to do: perform the release with maven to your staging repository at sonatype and validate/publish your build at sonatype.mvn release
Kind of simple magic here:mvn release:prepare
mvn release:performValidate and release your build and Sonatype
After releasing your artifact - it will be uploaded to your staging repository here - https://oss.sonatype.org/#stagingRepositories.Log in to https://oss.sonatype.org with your Sonatype credentials (same as for theirs JIRA) and follow this quick tutorial on how to publish move your build from Sonatype staging repository to Maven Central
No comments:
Post a Comment