Have such build.gradle
script that uses new publishing plugin:
apply plugin: 'java'
apply plugin: 'groovy'
apply plugin: 'signing'
apply plugin: 'maven-publish'
// ...
publishing {
publications {
maven(MavenPublication) {
from components.java
artifact sourcesJar {
classifier 'source'
}
}
}
repositories {
maven {
name 'Temporary'
url "file://${rootProject.buildDir}/repo"
}
}
}
signing {
sign configurations.archives
}
So the questions are:
The new, incubating maven-publish
plugin doesn't support signing yet.
While it still not officially supported, it is nonetheless possible to upload signed artifacts using the signing and the maven-publish plugin.
First, we set up our signing section as usual:
apply plugin: 'signing'
signing {
sign configurations.archives
}
This will sign the project's archive. To sign the POM that is created by the maven-publish plugin, we add a sign task:
task signPom(type: Sign) {
sign project.file('build/publications/maven/pom-default.xml')
outputs.upToDateWhen { false } // the signing plugin does not seem to notice
// it when the publications folder with the
// signature has been deleted. So we always
// create a new signature
}
It is not possible to simply add a sign generatePomFileForMavenPublication
line
to signing
as the maven-plublish plugin leverages support for late
configuration which means that the task for generating the pom is not available when configuring the signing section.
Now we have all the signature files we need. We only need to add them to the publication:
apply plugin: 'maven-publish'
publishing {
publications {
maven(MavenPublication) {
from components.java
project.tasks.withType(Sign) {
signatures.all {
def type = it.type
if (it.file.name.endsWith('.tar.gz.asc')) { // Workaround in case a tar.gz file should published
type = 'tar.gz.asc'
} else if (it.type.equals('xml.asc')) { // Set correct extension for signature of pom file
type = 'pom.asc'
}
artifact source: it.file, classifier: it.classifier ?: null, extension: type
}
}
pom.withXml {
// The pom can be enriched as usual
}
}
}
}
This takes all signature files created by the build and adds them as artifacts to the publication. In order to have the pom file correctly named, the file extension xml.asc need to be replaced with pom.asc (the maven-publish plugin stores the pom locally as pom-default.xml).
With all tasks being there and connected with each other, the last thing to do is to set up the dependencies in the model:
model {
tasks.publishMavenPublicationToMavenLocal {
dependsOn project.tasks.withType(Sign)
}
tasks.publishMavenPublicationToNexusLocalSnapshotsRepository {
dependsOn project.tasks.withType(Sign)
}
tasks.signPom {
dependsOn tasks.generatePomFileForMavenPublication
}
}
The name of the second task depends on the name of the repository in the
publications.repository
section. Mine is called "NexusLocalSnapshots".
The only disadvantage of this approach is that for each signature files an md5 and sha1 checksum file is created. This does not seem to be a problem for the repository manager, though (tested locally with Nexus 3).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With