maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Benjamin Bentmann <>
Subject Re: WARNING: Maven 2.1 and GPG plugin interaction problems.....
Date Tue, 05 May 2009 11:47:04 GMT
Daniel Kulp wrote:

> This is just a warning that the Maven team has just discovered an interaction 
> problem between Maven 2.1 and the maven-gpg-plugin that CAN result in the 
> signatures for the installed/deployed poms being invalid.   Signatures for the 
> other artifacts (jars, wars, etc..) are unaffected and not all poms are 
> affected.

I guess you mean the new VersionExpressionTransformation that has been 
added for MNG-3057 and resolves version properties on-the-fly in the POM 
during installation?

> Thus, at this point, it's advisable to either use Maven 2.0.10 for releases or 
> verify, check, and resign any affected poms.

I just re-checked and the POM for maven-shade-plugin:1.2.1 that I 
released not long ago with Maven 2.1.0 suffers from this. What's the 
process of fixing the signature on central?

> The Maven team is aware of the situation and is working on a fix.

A corresponding JIRA is still outstanding, likely due to unclear target 
project, right? Possibly something we want to consider for inclusion in 2.2?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message