What is the procedure and what are the requirements to submit artifacts to maven central repository?

Question

I suppose that one needs some pass to submit an artifact to Maven Central repository.

I'd like to know, in detail, what are the requirements, what is the procedure to follow, and if there is a tutorial or guide to help in this process.

I heard you need also to digitally sign (gpg) the artifacts, some details regarding this would also be welcome.

Answer 1

If your code is OSS, there's a "fast track" process for publishing via Sonatype.

Short Answer:

See the Sonatype OSS Maven Repository Usage Guide

Long Answer:

Basically, here's what I've done for beanstalk-maven-plugin a while ago:

1. I've generated and registered a new GPG key for my email in the HKP Keyservers (a no brainer). Make sure you have backups of your keys (actually, I suggest you create your key in an entirely separate machine, so you could know your backup / export procedures are working)

2. Opened an Issue in Sonatype OSS Project Jira Tracker pointing the groupId, source SCM url, and other details. It takes around 48h for approval.

3. Configured my pom.xml to use sonatype-parent pom as a parent. This adds a lot of extra information and validation.

4. Set up SCM for Tagging / Releasing.

5. Set up jenkins so my -SNAPSHOT releases would also be published into oss.sonatype.org.

Now, the release procedure itself via Sonatype is pretty straightforward:

• Call release:prepare and release:perform into the OSS Staging. Your new release will go into Sonatype Staging
• Log into OSS Staging, then "Close" the Staged Repository - If there are any validation errors (e.g. artifacts without sources), it will warn, and you're likely to issue a "Drop".
• If everything went fine, you can instead call "Release", and it will sync in central in a couple of hours.

Under the Hood

If you're using Maven, most of the changes just require decorating your POM with the relevant detail (group, mailing lists, home page, and especially the <scm/>). The sonatype-oss-parent (see its source) pom does all the remaining work, which includes:

• The <distributionManagement/> tags
• The maven-enforcer-plugin configuration (in particular, to avoid some bad signatures from the maven-gpg-plugin)
• Settings for maven-release-plugin for a special build profile to be called when released on OSS, which includes invocations for:
  • source:jar
  • javadoc:jar
  • gpg:sign

Of course, you can do it all by hand - Just copy the contents of sonatype-oss-parent into your own. However, I think its a bit of avoidable cruft. :)

Hope it helps.