I'm currently trying to release a project (https://github.com/DaGeRe/KoPeMe) which is built by maven. The last release worked successfully: https://repo1.maven.org/maven2/de/dagere/kopeme/kopeme-parent/1.3.6/ with commit 4a5ee98abf747e257afc18dccbec1299a23be6f5.
It contains the maven-gpg-plugin, the maven-javadoc-plugin and the maven-source-plugin in the parent pom.xml:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>3.0.1</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.1.1</version>
<configuration>
<doclint>none</doclint>
<quiet>true</quiet>
<nonavbar>true</nonavbar>
<notree>true</notree>
<nocomment>true</nocomment>
<nohelp>true</nohelp>
</configuration>
<executions>
<execution>
<id>attach-javadocs</id>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>attach-sources</id>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
Therefore, I'd expect all the .asc files to be present (for the -source.jar, for the .jar and the pom.xml).
Unfortunately, in the current version, I always get the following errors when trying to deploy:
[INFO] [ERROR] Rule "signature-staging" failures
[INFO] [ERROR] * Missing Signature: '/de/dagere/kopeme/kopeme-parent/1.3.7/kopeme-parent-1.3.7.pom.asc' does not exist for 'kopeme-parent-1.3.7.pom'.
[INFO] [ERROR] * Missing Signature: '/de/dagere/kopeme/build-tools/1.3.7/build-tools-1.3.7.jar.asc' does not exist for 'build-tools-1.3.7.jar'.
[INFO] [ERROR] * Missing Signature: '/de/dagere/kopeme/build-tools/1.3.7/build-tools-1.3.7-sources.jar.asc' does not exist for 'build-tools-1.3.7-sources.jar'.
[INFO] [ERROR] * Missing Signature: '/de/dagere/kopeme/build-tools/1.3.7/build-tools-1.3.7.pom.asc' does not exist for 'build-tools-1.3.7.pom'.
It is understandable that there is not signature for the parent pom.xml, since it is just not present:
find . -name "*.pom.asc"
./target/checkout/target/nexus-staging/staging/3ba66bd2daf598/de/dagere/kopeme/kopeme-junit4/1.3.7/kopeme-junit4-1.3.7.pom.asc
./target/checkout/target/nexus-staging/staging/3ba66bd2daf598/de/dagere/kopeme/kopeme-junit3/1.3.7/kopeme-junit3-1.3.7.pom.asc
./target/checkout/target/nexus-staging/staging/3ba66bd2daf598/de/dagere/kopeme/kopeme-junit5/1.3.7/kopeme-junit5-1.3.7.pom.asc
./target/checkout/target/nexus-staging/staging/3ba66bd2daf598/de/dagere/kopeme/kopeme-core/1.3.7/kopeme-core-1.3.7.pom.asc
./target/checkout/kopeme-junit4/target/kopeme-junit4-1.3.7.pom.asc
./target/checkout/kopeme-junit3/target/kopeme-junit3-1.3.7.pom.asc
./target/checkout/kopeme-junit5/target/kopeme-junit5-1.3.7.pom.asc
./target/checkout/kopeme-core/target/kopeme-core-1.3.7.pom.asc
./kopeme-junit4/target/kopeme-junit4-1.3.7.pom.asc
./kopeme-junit3/target/kopeme-junit3-1.3.7.pom.asc
./kopeme-junit5/target/kopeme-junit5-1.3.7.pom.asc
./kopeme-core/target/kopeme-core-1.3.7.pom.asc
The same happens when I go back to 4a5ee98abf747e257afc18dccbec1299a23be6f5, which was the last commit where the release worked (and the data are now in maven central). This also happens for older tags, and when only doing mvn deploy.
If I redirect the output of the build to a file, it seems the gpg plugin is never executed for the parent pom:
cat deploy.txt | grep gpg
[INFO] --- maven-gpg-plugin:3.0.1:sign (sign-artifacts) @ kopeme-core ---
[INFO] --- maven-gpg-plugin:3.0.1:sign (sign-artifacts) @ kopeme-junit4 ---
[INFO] --- maven-gpg-plugin:3.0.1:sign (sign-artifacts) @ kopeme-junit5 ---
[INFO] --- maven-gpg-plugin:3.0.1:sign (sign-artifacts) @ kopeme-junit3 ---
Switching to mvn clean deploy gpg:sign creates all the necessary gpg files, but it seems to me like the explicit specification of gpg:sign is not a good solution. (And also switching the phase to verify, like suggested in Proper execution phase for maven-gpg-plugin?, did not solve the problem)
Since this worked for the last releases (without gpg:sign, and all necessary files are online), but even this last releases commit does not produce a .pom.asc, I do not see a way to further debug this issue (and all the behaviour stays the same, regardless whether I use maven 3.8.5, Ubuntus default version, or maven 3.9.2, the wrappers version). Does anybody has a hint how to debug this problem?
One solution seems to be to add the gpg plugin to the parent poms
build(instead onlypluginManagement), like this:It makes sense that this is necessary - I assume I was using an older version of maven before (that was installed on the system), and that an update to maven caused the problem.