jira-importer commented on issue #958: URL: https://github.com/apache/maven-javadoc-plugin/issues/958#issuecomment-2957364856
**[Christian Schulte](https://issues.apache.org/jira/secure/ViewProfile.jspa?name=schulte77)** commented If nobody else wants to provide such a plugin, I'll prepare a maven-signer-plugin patch to have something to start with and attach it to this issue. Thinking about it, should such a mojo also contain the functionality of the maven-gpg-plugin ? If a general maven-signer-plugin would be available, I see no reason why not make it provide different signing strategies (jarsigner, gpg, what else?) Is there already some ArtifactSigner component available or something like this ? What would be the preferred design ? Provide an ArtifactSigner component in group org.apache.maven.shared.something and use that in the plugin ? For consistency with the other plugins, I am just missing a maven-jarsigner-plugin, I think, which can be executed independently of the maven-jar-plugin. There is a policy here to sign all jar files during release. For this, I added a release profile like: ``` <profile> <id>release</id> <activation> <activeByDefault>false</activeByDefault> </activation> <build> <plugins> <plugin> <inherited>true</inherited> <artifactId>maven-jar-plugin</artifactId> <executions> <execution> <id>sign</id> <phase>package</phase> <goals> <goal>sign</goal> </goals> <configuration> <storepass>${jarsign.storepass}</storepass> <keypass>${jarsign.keypass}</keypass> <alias>${jarsign.alias}</alias> <jarPath>${project.build.directory}/${project.build.finalName}.jar</jarPath> </configuration> </execution> </executions> </plugin> <plugin> <inherited>true</inherited> <artifactId>maven-gpg-plugin</artifactId> </plugin> <plugin> <inherited>true</inherited> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-source-plugin</artifactId> <executions> <execution> <id>attach-sources</id> <goals> <goal>jar</goal> </goals> </execution> </executions> </plugin> <plugin> <inherited>true</inherited> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-javadoc-plugin</artifactId> <executions> <execution> <id>attach-javadocs</id> <goals> <goal>jar</goal> </goals> </execution> </executions> </plugin> <plugin> <inherited>true</inherited> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-deploy-plugin</artifactId> <configuration> <updateReleaseInfo>true</updateReleaseInfo> </configuration> </plugin> </plugins> </build> </profile> ``` This does not work for signing the source and javadoc jars since the jar:sign goal will be run before the source and javadoc plugins were run. maven-jar-plugin: Plugin for the jar command line tool. maven-gpg-plugin: Plugin for the gpg command line tool. maven-jarsigner-plugin: Plugin for the jarsigner command line tool. So create a maven-jarsigner-plugin based on the maven-jar-plugin's sign goal and deprecated jar:sign in favour of that ? WDYT -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
