Tamás, Martin - thank you for your quick feedback. It gave me certainty that the objective can be accomplished.
> if you can use your GPG CLI with your HSM, this could or should be possible, > as maven-gpg-plugin really just invokes the CLI (the gpg executable). The HSM doesn't provide such an option, but I can wrap its tool in a program called `gpg`, and mimic the command line interface of the real GPG. However, it sounds like Martin's approach would be simpler because it can use the files I already have. > Hm, so signing the artifacts already works and you just want to > install/deploy the signatures along with the JARs? > Than I'd say build-helper-maven-plugin is what you need Since I am new to the Java ecosystem, I couldn't figure out from the documentation of this plugin in what way I can apply it for my specific purpose. Thus, I looked for entry-level guides and made progress by following this one: https://central.sonatype.org/publish/publish-maven They recommend using nexus-staging-maven-plugin. My starting state is with these files on my computer: CmpRaComponent-2.2.2-SNAPSHOT.jar CmpRaComponent-2.2.2-SNAPSHOT.jar.asc CmpRaComponent-2.2.2-SNAPSHOT.jar.md5 CmpRaComponent-2.2.2-SNAPSHOT.jar.sha1 CmpRaComponent-2.2.2-SNAPSHOT.jar.sha256 CmpRaComponent-2.2.2-SNAPSHOT.jar.sha512 CmpRaComponent-2.2.2-SNAPSHOT-javadoc.jar CmpRaComponent-2.2.2-SNAPSHOT-javadoc.jar.asc CmpRaComponent-2.2.2-SNAPSHOT-javadoc.jar.md5 CmpRaComponent-2.2.2-SNAPSHOT-javadoc.jar.sha1 CmpRaComponent-2.2.2-SNAPSHOT-javadoc.jar.sha256 CmpRaComponent-2.2.2-SNAPSHOT-javadoc.jar.sha512 CmpRaComponent-2.2.2-SNAPSHOT-sources.jar CmpRaComponent-2.2.2-SNAPSHOT-sources.jar.asc CmpRaComponent-2.2.2-SNAPSHOT-sources.jar.md5 CmpRaComponent-2.2.2-SNAPSHOT-sources.jar.sha1 CmpRaComponent-2.2.2-SNAPSHOT-sources.jar.sha256 CmpRaComponent-2.2.2-SNAPSHOT-sources.jar.sha512 pom.xml, in the root directory of my project Then I run `mvn jar:jar nexus-staging:deploy nexus-staging:deploy-staged`. It runs successfully and the logs show the data are uploaded to https://s01.oss.sonatype.org/content/repositories/snapshots/com/siemens/pki/CmpRaComponent/ - I can browse the directory structure, so it looks like it works. However, the signature files are not there. I repeated the process one more time, while observing file-system i/o - I saw that *.asc are not read at all. Are there any other prerequisites that have to be met in order for this to work? Looking forward to your additional clues, Alex
smime.p7s
Description: S/MIME cryptographic signature
