We'll have to look into this and see what's up. It shouldn't modify the jar if it's already there.
On Tue, Jun 8, 2010 at 2:08 PM, Bruno Harbulot <[email protected]> wrote: > > > On 08/06/10 16:52, Bruno Harbulot wrote: >> >> >> On 08/06/10 15:24, Bruno Harbulot wrote: >> >>> I'm trying to follow the procedure for manual upload as described on >>> this page: >>> >>> http://www.sonatype.com/people/2010/04/uploading-artifacts-to-the-central-maven-repository-diy/ >>> >>> >>> >>> I've set up my GPG key and it seems to work mostly well, except that the >>> .asc file produced by this is incorrect: >>> >>> $ mvn source:jar javadoc:jar package gpg:sign repository:bundle-create >>> $ cd target >>> $ gpg --verify ....jar.asc >>> gpg: Signature made Tue 08 Jun 2010 15:17:32 BST using RSA key ID >>> E39C0477 >>> gpg: BAD signature from "..." >>> >>> >>> In contrast, if I don't use repository:bundle-create, it works fine: >>> >>> $ mvn source:jar javadoc:jar package gpg:sign >>> $ cd target >>> $ gpg --verify ....jar.asc >>> gpg: Signature made Tue 08 Jun 2010 15:19:25 BST using RSA key ID >>> E39C0477 >>> gpg: Good signature from "..." >>> >>> >>> Any idea what I might be doing wrong? I've tried with and without the >>> explicit plugin settings in the POM file as described on this page, but >>> this doesn't change the outcome: >>> >>> http://www.sonatype.com/people/2010/01/how-to-generate-pgp-signatures-with-maven/ >>> >> >> >> I've looked a bit further into this problem. >> It looks like repository:bundle-create modifies the content of the jar >> file it bundles (not the bundle, but the artifact bundled). >> The only modifications I can see in the jar is the change of timestamp >> of this file (and containing directories): >> META-INF/maven/<groupdId>/<artifactId>/pom.properties >> and >> META-INF/maven/remote-resources.xml >> >> The actual content is unchanged. However insignificant, these changes >> modify the jar file and thus breaks the signature. >> >> It seems to be due to the fact repository:bundle-create runs jar:jar >> again. Is it possible to tell it to skip it when running >> repository:bundle-create? > > I've worked around the problem by putting this in the POM: > > <profiles> > <profile> > <activation> > <property> > <name>performRelease</name> > <value>true</value> > </property> > </activation> > <build> > <plugins> > <plugin> > > <groupId>org.apache.maven.plugins</groupId> > > <artifactId>maven-gpg-plugin</artifactId> > <executions> > <execution> > > <phase>package</phase> > <goals> > > <goal>sign</goal> > </goals> > </execution> > </executions> > </plugin> > </plugins> > </build> > </profile> > </profiles> > > > Then, I've used this, without gpg:sign: > mvn -DperformRelease=true clean source:jar javadoc:jar install > repository:bundle-create > > > After that, the upload to oss.sonatype.org worked just fine! > > > Best wishes, > > Bruno. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
