Signing when staging with Maven Artifact Resolver Ant Task
Maven Ant Tasks has been retired in favor of Maven Artifact Resolver Ant Tasks. There is no official migration path and the documentation is, well, OK. We used Maven Ant Tasks to stage our jars into Sonatype for publication in Maven Central. I've been able to almost completely replicate that behavior in Maven Artifact Resolver Ant Tasks, but I haven't been able to sign the jars. Does anybody know how this should be performed? Previously, I'd add a in the task. Now I have a task and it works perfectly, but no signing. Ciao, seba - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: Custom ArtifactRepositoryLayout (plugin/extension)
Hi Tamas,
thanks a lot for understanding the question. It would be easier to have
such extension/plugin declared in a setting file, as it would help to
keep the project portable, but it works well.
The solution to create a custom artefact loader is an implementation of
RepositoryLayoutFactory with the layout as @Named.
@Named("http-directory")
public final class HttpDirectoryFactory implements RepositoryLayoutFactory
exygen
http://www.exygen.fr/releases/
http-directory
The ArtifactRepositoryLayout seems useless.
regards,
Stephane
Le 2023-02-14 à 20:11, Tamás Cservenák a écrit :
Howdy,
given there is no question (I did not find it?), I guess the above setup
does not work?
By your description, code should be ok (as you describe it), all you need
to ensure is that you have plexus metadata present (you also did not
specify which maven version you build against). The code should NOT be
built as a maven-plugin, but as a simple JAR w/ plexus-component-metadata
(if not already).
Next, to extend the resolver, you CANNOT do it via POM or extensions.xml
(to have that latter, GAV into a downloaded JAR file, the resolver is
already constructed).
Hence, put the JAR w/ Plexus Metadata into the $MAVEN_HOME/lib/ext
directory instead, as this would be an "early" loaded extension.
More about it here:
https://maven.apache.org/guides/mini/guide-using-extensions.html
HTH
T
On Tue, Feb 14, 2023 at 11:46 AM Stephane Passignat
wrote:
Hello,
I created a custom ArtifactRepositoryLayout to import libraries from a
non standard repository layout. Now I would like maven to use it...
The class is created like the default layout, with another id.
@Component(role =ArtifactRepositoryLayout.class, hint ="http-directory")
public String getId() {
return "http-directory";
}
To make sure I see the usage of this extension interface method print a
stacktrace:
public String pathOf(Artifact artifact) {
Thread.dumpStack();
It's built as a plugin (only maven-bundle-plugin is new to me, I already
made several plugins):
org.apache.felix
maven-bundle-plugin
true
org.apache.maven.plugins
maven-plugin-plugin
3.6.0
true
mojo-descriptor
descriptor
In the pom.xml of the project, I setup the repository with that layout:
http-directory
Then I registered an extension in a project (new to me) in order to have
it in the classpath:
.mvn/extensions.xml
http://maven.apache.org/EXTENSIONS/1.0.0;
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
xsi:schemaLocation="http://maven.apache.org/EXTENSIONS/1.0.0
http://maven.apache.org/xsd/core-extensions-1.0.0.xsd;>
...
maven-http-directory
1.0-SNAPSHOT
Thanks for your help.
Stéphane
--
*Stéphane Passignat*
✆ +33 6 62 57 47 86
✉ passig...@hotmail.com
3 place Jacques Marette, 75015 PARIS
[ANN] Maven Invoker Plugin 3.5.0 released
The Apache Maven team is pleased to announce the release of the Maven Invoker Plugin version 3.5.0. https://maven.apache.org/plugins/maven-invoker-plugin/ You should specify the version in your project's plugin configuration: org.apache.maven.plugins maven-invoker-plugin 3.5.0 Release Notes - Maven Invoker Plugin - Version 3.5.0 ** Bug * [MINVOKER-318] - invoker install can not resolve test dependencies if they overlap with runtime deps * [MINVOKER-319] - Invoker Install fail with Maven 4.0.0-alpha-4 * [MINVOKER-323] - DefaultVersionResolver is inflicting ArtifactNotFoundException for classifiers with SNAPSHOT version ** Improvement * [MINVOKER-313] - Get rid of maven-artifact-transfer ** Task * [MINVOKER-324] - Fix Temporary File Information Disclosure Vulnerability ** Dependency upgrade * [MINVOKER-322] - Bump assertj-core from 3.23.1 to 3.24.2 * [MINVOKER-325] - Upgrade to groovy 4.0.9 * [MINVOKER-326] - Bump doxia-sink-api from 1.11.1 to 1.12.0 * [MINVOKER-327] - Upgrade to parent 39 Enjoy, -The Apache Maven team - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
[ANN] Maven Javadoc Plugin 3.5.0 released
The Apache Maven team is pleased to announce the release of the Maven Javadoc Plugin, version 3.5.0. This module generates browsable HTML pages from Java source code. https://maven.apache.org/plugins/maven-javadoc-plugin/ You should specify the version in your project's plugin configuration: org.apache.maven.plugins maven-javadoc-plugin 3.5.0 Release Notes - Maven Javadoc Plugin - Version 3.5.0 ** Bug * [MJAVADOC-700] - Plugin duplicates classes in Java 8 all-classes lists ** Improvement * [MJAVADOC-685] - Deprecate parameter "stylesheet" * [MJAVADOC-721] - Parse stderr output and suppress informational lines * [MJAVADOC-729] - Link to Javadoc references from JDK 17 * [MJAVADOC-731] - Migrate components to JSR 330, get rid of maven-artifact-transfer, update to parent 37 ** Dependency upgrade * [MJAVADOC-738] - Upgrade commons-text to 1.10.0 * [MJAVADOC-740] - Upgrade Parent to 39 * [MJAVADOC-741] - Upgrade plugins and components Enjoy, -The Apache Maven team - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
[ANN] Maven Fluido Skin 2.0.0-M3 released
The Apache Maven team is pleased to announce the release of the Maven Fluido Skin, version 2.0.0-M3. https://maven.apache.org/skins/maven-fluido-skin/ You should specify the version in your project's site configuration: org.apache.maven.skins maven-fluido-skin 2.0.0-M3 Release Notes - Maven Fluido Skin - Version 2.0.0-M3 ** Improvement * [MSKINS-210] - Don't print CSS class for if none has been provided * [MSKINS-211] - Print href in anchors for #link() IF href has been provided * [MSKINS-212] - Simplify IT verification with more Groovy features ** Task * [MSKINS-101] - Remove decorationModel/custom/publishDate from skin-macros.vm ** Dependency upgrade * [MSKINS-213] - Upgrade to Doxia Sitetools to 2.0.0-M5 Enjoy, -The Apache Maven team - To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
Re: How to use a different signing mechanism with maven-gpg-plugin
Hi! On 15. Feb. 2023 Railean, Alexander wrote: [...] > After I sign the jar using utilities provided by the HSM, is there a way to > tell maven-gpg-plugin to use existing signature of the jar and upload it to > the server? (instead of trying to produce its own) > > Alternatively, maybe you can recommend another approach that I can take? Hm, so signing the artifacts already works and you just want to install/deploy the signatures along with the JARs? Than I'd say build-helper-maven-plugin is what you need: http://www.mojohaus.org/build-helper-maven-plugin/attach-artifact-mojo.html hth, - martin pgpZDrW5l1JDC.pgp Description: Digitale Signatur von OpenPGP
Re: How to use a different signing mechanism with maven-gpg-plugin
Howdy, if you can use your GPG CLI with your HSM, this could or should be possible, as maven-gpg-plugin really just invokes the CLI (the gpg executable). HTH T On Wed, Feb 15, 2023 at 12:50 PM Railean, Alexander < alexander.rail...@siemens.com> wrote: > Hi everyone, > > > > I am looking for a way to use maven-gpg-plugin in conjunction with a > Hardware Security Module (HSM) for the process of publishing digitally > signed artifacts on Maven Central. > > > > After reading the documentation I am under the impression that the plugin > assumes that it has the signing key and the passphrase – but in my use case > I rely on an external device to securely store the key, and the key itself > cannot get out of the device, by design. > > > > After I sign the jar using utilities provided by the HSM, is there a way > to tell maven-gpg-plugin to use existing signature of the jar and upload it > to the server? (instead of trying to produce its own) > > > > Alternatively, maybe you can recommend another approach that I can take? > > > > Alex >
How to use a different signing mechanism with maven-gpg-plugin
Hi everyone, I am looking for a way to use maven-gpg-plugin in conjunction with a Hardware Security Module (HSM) for the process of publishing digitally signed artifacts on Maven Central. After reading the documentation I am under the impression that the plugin assumes that it has the signing key and the passphrase - but in my use case I rely on an external device to securely store the key, and the key itself cannot get out of the device, by design. After I sign the jar using utilities provided by the HSM, is there a way to tell maven-gpg-plugin to use existing signature of the jar and upload it to the server? (instead of trying to produce its own) Alternatively, maybe you can recommend another approach that I can take? Alex smime.p7s Description: S/MIME cryptographic signature
