[
https://issues.apache.org/jira/browse/UIMA-5876?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16640301#comment-16640301
]
Marshall Schor commented on UIMA-5876:
--------------------------------------
after much experimentation, I have an approach for gpg / sha512 signing /
checksumming and putting results into /target and .m2 (via deploy), which seems
to work.
But, it requires fixes to 2 maven plugins: the maven-gpg-plugin ( see MGPG-66 )
and the checksum-maven-plugin ( see
[https://github.com/nicoulaj/checksum-maven-plugin/issues/63] ).
The gpg-plugin fix is minor: it needs to exclude signing things that match it's
excludes configuration. Not fixing this means that the checksums get signed and
deployed as well as the artifacts.
The checksum-maven-plugin has 2 fixes.
The first is to have the "artifacts" goal include the "pom" - it was missing
this, because (for some internal reason) the pom doesn't show up on the list of
attached artifacts.
The 2nd is to have the checksum artifacts's coordinates for deploying have a
type made from the last part of the file name before the .sha512, concatenated
with ".sha512". Example: the xxx-sources.jar gets a type of "jar.sha512".
This allows the file to be put into the deploy repo with the name
xxx-sources.jar.sha512. See details in issue 63.
I'm not sure how to incorporate these plugin changes in a way we can use them.
Running with Ant instead is something we could do until these get officially
fixed. But it has issues: Ideally, we want to sign/checksum the main artifact
+ all the attached artifacts & pom. The gpg plugin does this. But to get the
sha512 checksums done with Ant would take specifying every file that needed
this, manually (beyond the pom, which could be part of the uima-wide parent).
For example, uimaj-core needs this for
- jar (the main artifact)
- javadoc.jar
- sources.jar (note: this is different than source-release.zip... it is just
the java-sources, fetched automatically by some IDEs)
The spec of these things would be used in 2 places: one for the ant checksum
task, and one for the build-helper-maven-plugin, used for the attach goal, to
attach the results so they get deployed into .m2 etc.
That's messy, and seems to affect potentially many projects, so it's much nicer
to have working gpg / checksum maven plugins :)
> update uima-wide parent-pom
> ---------------------------
>
> Key: UIMA-5876
> URL: https://issues.apache.org/jira/browse/UIMA-5876
> Project: UIMA
> Issue Type: Improvement
> Components: Build, Packaging and Test
> Affects Versions: parent-pom-11
> Reporter: Marshall Schor
> Assignee: Marshall Schor
> Priority: Minor
> Fix For: parent-pom-12
>
>
> Additional updates beyond UIMA-5856. Remove redundant/outdated versioning
> now provided by current apache-wide parent-pom (21). add common configuration
> for api change report.
> Attempts to use the checksum-maven-plugin reveal that it doesn't work
> correctly, see [https://github.com/nicoulaj/checksum-maven-plugin/issues/63]
> ). Design a work-around that uses Ant scripts, and insure it works both for
> maven-deploy targets (e.g. .m2) and for normal apache distribution targets
> (e.g. project/target ).
> Due to bug in the current implementation of the maven-gpg-plugin ( MGPG-66 ),
> the gpg plugin needs to be run before doing the .sha512 checksumming
> (otherwise the checksums also get signed).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
