How to sign maven publications with gradle

Question

Have such build.gradle script that uses new publishing plugin:

apply plugin: 'java'
apply plugin: 'groovy'
apply plugin: 'signing'
apply plugin: 'maven-publish'

// ...

publishing {
    publications {
        maven(MavenPublication) {
            from components.java

            artifact sourcesJar {
                classifier 'source'
            }
        }
    }

    repositories {
        maven {
            name 'Temporary'
            url "file://${rootProject.buildDir}/repo"
        }
    }
}

signing {
    sign configurations.archives
}

So the questions are:

1. How to sign maven pom?
2. How to publish signatures to maven repository?

Answer 1

The new, incubating maven-publish plugin doesn't support signing yet.

Answer 2

While it still not officially supported, it is nonetheless possible to upload signed artifacts using the signing and the maven-publish plugin.

First, we set up our signing section as usual:

apply plugin: 'signing'

signing {
  sign configurations.archives
}

This will sign the project's archive. To sign the POM that is created by the maven-publish plugin, we add a sign task:

task signPom(type: Sign) {
  sign project.file('build/publications/maven/pom-default.xml')
  outputs.upToDateWhen { false }  // the signing plugin does not seem to notice
                                  // it when the publications folder with the
                                  // signature has been deleted. So we always
                                  // create a new signature
}

It is not possible to simply add a sign generatePomFileForMavenPublication line to signing as the maven-plublish plugin leverages support for late configuration which means that the task for generating the pom is not available when configuring the signing section.

Now we have all the signature files we need. We only need to add them to the publication:

apply plugin: 'maven-publish'

publishing {
  publications {
    maven(MavenPublication) {
      from components.java

      project.tasks.withType(Sign) {
        signatures.all {
          def type = it.type
          if (it.file.name.endsWith('.tar.gz.asc')) {  // Workaround in case a tar.gz file should published
            type = 'tar.gz.asc'
          } else if (it.type.equals('xml.asc')) {  // Set correct extension for signature of pom file
            type = 'pom.asc'
          }
          artifact source: it.file, classifier: it.classifier ?: null, extension: type
        }
      }

      pom.withXml {
        // The pom can be enriched as usual
      }
    }
  }
}

This takes all signature files created by the build and adds them as artifacts to the publication. In order to have the pom file correctly named, the file extension xml.asc need to be replaced with pom.asc (the maven-publish plugin stores the pom locally as pom-default.xml).

With all tasks being there and connected with each other, the last thing to do is to set up the dependencies in the model:

model {
  tasks.publishMavenPublicationToMavenLocal {
    dependsOn project.tasks.withType(Sign)
  }
  tasks.publishMavenPublicationToNexusLocalSnapshotsRepository {
    dependsOn project.tasks.withType(Sign)
  }
  tasks.signPom {
    dependsOn tasks.generatePomFileForMavenPublication
  }
}

The name of the second task depends on the name of the repository in the publications.repository section. Mine is called "NexusLocalSnapshots".

The only disadvantage of this approach is that for each signature files an md5 and sha1 checksum file is created. This does not seem to be a problem for the repository manager, though (tested locally with Nexus 3).