maven-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Fox <bri...@infinity.nu>
Subject Re: gpg:sign and repository:bundle-create produce bad signatures
Date Fri, 11 Jun 2010 02:37:51 GMT
We'll have to look into this and see what's up. It shouldn't modify
the jar if it's already there.

On Tue, Jun 8, 2010 at 2:08 PM, Bruno Harbulot
<Bruno.Harbulot@manchester.ac.uk> wrote:
>
>
> On 08/06/10 16:52, Bruno Harbulot wrote:
>>
>>
>> On 08/06/10 15:24, Bruno Harbulot wrote:
>>
>>> I'm trying to follow the procedure for manual upload as described on
>>> this page:
>>>
>>> http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/
>>>
>>>
>>>
>>> I've set up my GPG key and it seems to work mostly well, except that the
>>> .asc file produced by this is incorrect:
>>>
>>> $ mvn source:jar javadoc:jar package gpg:sign repository:bundle-create
>>> $ cd target
>>> $ gpg --verify ....jar.asc
>>> gpg: Signature made Tue 08 Jun 2010 15:17:32 BST using RSA key ID
>>> E39C0477
>>> gpg: BAD signature from "..."
>>>
>>>
>>> In contrast, if I don't use repository:bundle-create, it works fine:
>>>
>>> $ mvn source:jar javadoc:jar package gpg:sign
>>> $ cd target
>>> $ gpg --verify ....jar.asc
>>> gpg: Signature made Tue 08 Jun 2010 15:19:25 BST using RSA key ID
>>> E39C0477
>>> gpg: Good signature from "..."
>>>
>>>
>>> Any idea what I might be doing wrong? I've tried with and without the
>>> explicit plugin settings in the POM file as described on this page, but
>>> this doesn't change the outcome:
>>>
>>> http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven/
>>>
>>
>>
>> I've looked a bit further into this problem.
>> It looks like repository:bundle-create modifies the content of the jar
>> file it bundles (not the bundle, but the artifact bundled).
>> The only modifications I can see in the jar is the change of timestamp
>> of this file (and containing directories):
>> META-INF/maven/<groupdId>/<artifactId>/pom.properties
>> and
>> META-INF/maven/remote-resources.xml
>>
>> The actual content is unchanged. However insignificant, these changes
>> modify the jar file and thus breaks the signature.
>>
>> It seems to be due to the fact repository:bundle-create runs jar:jar
>> again. Is it possible to tell it to skip it when running
>> repository:bundle-create?
>
> I've worked around the problem by putting this in the POM:
>
>        <profiles>
>                <profile>
>                        <activation>
>                                <property>
>                                        <name>performRelease</name>
>                                        <value>true</value>
>                                </property>
>                        </activation>
>                        <build>
>                                <plugins>
>                                        <plugin>
>
>  <groupId>org.apache.maven.plugins</groupId>
>
>  <artifactId>maven-gpg-plugin</artifactId>
>                                                <executions>
>                                                        <execution>
>
>  <phase>package</phase>
>                                                          
     <goals>
>
>  <goal>sign</goal>
>                                                          
     </goals>
>                                                        </execution>
>                                                </executions>
>                                        </plugin>
>                                </plugins>
>                        </build>
>                </profile>
>        </profiles>
>
>
> Then, I've used this, without gpg:sign:
>  mvn -DperformRelease=true clean source:jar javadoc:jar install
> repository:bundle-create
>
>
> After that, the upload to oss.sonatype.org worked just fine!
>
>
> Best wishes,
>
> Bruno.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
> For additional commands, e-mail: users-help@maven.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org


Mime
View raw message