Nexus could not find signature of project's pom.xml

Question

I have uploaded a multi-module-project to central as a bundle.jar and this problem appears: So Nexus could not found the pom.asc.

But how can the file be missing if it is available under

Answer 1

According to your comments, you got this Nexus error after executing the following steps:

• mvn release:prepare release:perform
• mvn clean repository:bundle-create gpg:sign, which creates the *-0.9.12.pom.asc file and the *-bundle.jar

The error is most probably related to the steps above, which might not be the proper sequence to apply in this case, since:

• The maven-repository-plugin plugin and its create-bundle goal would create an upload bundle for a Maven project. Note however that the generated *-bundle.jar file would not be attached to the Maven build (according to its sources), but simply generate the file in the project target folder
• The maven-gpg-plugin and its sign goal would sign project artifact, the POM, and attached artifacts with GnuPG for deployment
• You are invoking the clean phase in the second step of your executions, which basically means removing the content of the target folder after the release:perform operation.

As such:

• You should verify the content of the bundle jar (due to the clean invocation)
• You are actually not signing jar files (cleaned up by the clean invocation) nor the bundle (as per description above), although the mentioned error concerns the POM file and not the jar files
• You are executing the gpg:sign from the command line, although the official examples state that:

Currently this is not easily accomplished. gpg signs the artifacts attached to the build at the point that gpg runs. However, we want to "inject" the gpg into the phases.
What MIGHT work is:

mvn verify gpg:sign install:install deploy:deploy   

However, if there are other plugins configured for phases after the verify phase, they will not be run.

(Note: bold is mine).

Hence, I would review the deployment process and follow standard procedures for signing project artifacts.

Answer 2

Besides the Activity tab in the repository manager you should also be able to browse to a Content tab. Check that out and see that within the folder of your GAV coordinate you find all the files. It seem that the staging rule did NOT find the file. Its probably not there (on the repository manager.. not your local filesystem!)

Please checkout our docs for further tips on how to set this all up with Maven including demo videos and fully working example projects.

Also if you get stuck please reach out to me directly or file an issue in our OSSRH jira project so I can investigate the specific deployment.

Answer 3

For me, missing *.asc files caused signature error. I have installed gpg keys and send it to ssh server.

According to Deploying to OSSRH with Apache Maven - Introduction, we need add plugin nexus-staging-maven-plugin and nexus-staging-maven-plugin. Then, when you run maven clean deploy, it will release the package to repo.maven.apache.org(within half an hour).

here is a pom.xml sample

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    ...
    <build>
        <plugins>
            ...
            <plugin>
                <groupId>org.sonatype.plugins</groupId>
                <artifactId>nexus-staging-maven-plugin</artifactId>
                <version>1.6.7</version>
                <extensions>true</extensions>
                <configuration>
                    <serverId>ossrh</serverId>
                    <nexusUrl>https://oss.sonatype.org/</nexusUrl>
                    <autoReleaseAfterClose>true</autoReleaseAfterClose>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-gpg-plugin</artifactId>
                <version>1.5</version>
                <executions>
                    <execution>
                        <id>sign-artifacts</id>
                        <phase>verify</phase>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>

    <distributionManagement>
        <snapshotRepository>
            <id>ossrh</id>
            <url>https://oss.sonatype.org/content/repositories/snapshots/</url>
        </snapshotRepository>
        <repository>
            <id>ossrh</id>
            <url>
                https://oss.sonatype.org/service/local/staging/deploy/maven2/
            </url>
        </repository>
    </distributionManagement>
</project>

maven settings.xml

<!--maven connect nexus need user and password-->
<settings>
    <servers>
        <server>
            <id>ossrh</id>
            <username></username>
            <password></password>
        </server>
    </servers>

    <profiles>
        <profile>
            <id>ossrh</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <gpg.passphrase>gpg.passphrase
                </gpg.passphrase>
            </properties>
        </profile>
    </profiles>
</settings>