I'm currently trying to release a project (https://github.com/DaGeRe/KoPeMe) which is built by maven. The last release worked successfully: https://repo1.maven.org/maven2/de/dagere/kopeme/kopeme-parent/1.3.6/ with commit 4a5ee98abf747e257afc18dccbec1299a23be6f5.
It contains the maven-gpg-plugin
, the maven-javadoc-plugin
and the maven-source-plugin
in the parent pom.xml:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>3.0.1</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-javadoc-plugin</artifactId>
<version>3.1.1</version>
<configuration>
<doclint>none</doclint>
<quiet>true</quiet>
<nonavbar>true</nonavbar>
<notree>true</notree>
<nocomment>true</nocomment>
<nohelp>true</nohelp>
</configuration>
<executions>
<execution>
<id>attach-javadocs</id>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-source-plugin</artifactId>
<version>3.0.0</version>
<executions>
<execution>
<id>attach-sources</id>
<goals>
<goal>jar</goal>
</goals>
</execution>
</executions>
</plugin>
Therefore, I'd expect all the .asc
files to be present (for the -source.jar
, for the .jar
and the pom.xml
).
Unfortunately, in the current version, I always get the following errors when trying to deploy:
[INFO] [ERROR] Rule "signature-staging" failures
[INFO] [ERROR] * Missing Signature: '/de/dagere/kopeme/kopeme-parent/1.3.7/kopeme-parent-1.3.7.pom.asc' does not exist for 'kopeme-parent-1.3.7.pom'.
[INFO] [ERROR] * Missing Signature: '/de/dagere/kopeme/build-tools/1.3.7/build-tools-1.3.7.jar.asc' does not exist for 'build-tools-1.3.7.jar'.
[INFO] [ERROR] * Missing Signature: '/de/dagere/kopeme/build-tools/1.3.7/build-tools-1.3.7-sources.jar.asc' does not exist for 'build-tools-1.3.7-sources.jar'.
[INFO] [ERROR] * Missing Signature: '/de/dagere/kopeme/build-tools/1.3.7/build-tools-1.3.7.pom.asc' does not exist for 'build-tools-1.3.7.pom'.
It is understandable that there is not signature for the parent pom.xml
, since it is just not present:
find . -name "*.pom.asc"
./target/checkout/target/nexus-staging/staging/3ba66bd2daf598/de/dagere/kopeme/kopeme-junit4/1.3.7/kopeme-junit4-1.3.7.pom.asc
./target/checkout/target/nexus-staging/staging/3ba66bd2daf598/de/dagere/kopeme/kopeme-junit3/1.3.7/kopeme-junit3-1.3.7.pom.asc
./target/checkout/target/nexus-staging/staging/3ba66bd2daf598/de/dagere/kopeme/kopeme-junit5/1.3.7/kopeme-junit5-1.3.7.pom.asc
./target/checkout/target/nexus-staging/staging/3ba66bd2daf598/de/dagere/kopeme/kopeme-core/1.3.7/kopeme-core-1.3.7.pom.asc
./target/checkout/kopeme-junit4/target/kopeme-junit4-1.3.7.pom.asc
./target/checkout/kopeme-junit3/target/kopeme-junit3-1.3.7.pom.asc
./target/checkout/kopeme-junit5/target/kopeme-junit5-1.3.7.pom.asc
./target/checkout/kopeme-core/target/kopeme-core-1.3.7.pom.asc
./kopeme-junit4/target/kopeme-junit4-1.3.7.pom.asc
./kopeme-junit3/target/kopeme-junit3-1.3.7.pom.asc
./kopeme-junit5/target/kopeme-junit5-1.3.7.pom.asc
./kopeme-core/target/kopeme-core-1.3.7.pom.asc
The same happens when I go back to 4a5ee98abf747e257afc18dccbec1299a23be6f5
, which was the last commit where the release worked (and the data are now in maven central). This also happens for older tags, and when only doing mvn deploy
.
If I redirect the output of the build to a file, it seems the gpg plugin is never executed for the parent pom:
cat deploy.txt | grep gpg
[INFO] --- maven-gpg-plugin:3.0.1:sign (sign-artifacts) @ kopeme-core ---
[INFO] --- maven-gpg-plugin:3.0.1:sign (sign-artifacts) @ kopeme-junit4 ---
[INFO] --- maven-gpg-plugin:3.0.1:sign (sign-artifacts) @ kopeme-junit5 ---
[INFO] --- maven-gpg-plugin:3.0.1:sign (sign-artifacts) @ kopeme-junit3 ---
Switching to mvn clean deploy gpg:sign
creates all the necessary gpg files, but it seems to me like the explicit specification of gpg:sign
is not a good solution. (And also switching the phase to verify
, like suggested in Proper execution phase for maven-gpg-plugin?, did not solve the problem)
Since this worked for the last releases (without gpg:sign
, and all necessary files are online), but even this last releases commit does not produce a .pom.asc
, I do not see a way to further debug this issue (and all the behaviour stays the same, regardless whether I use maven 3.8.5, Ubuntus default version, or maven 3.9.2, the wrappers version). Does anybody has a hint how to debug this problem?
One solution seems to be to add the gpg plugin to the parent poms
build
(instead onlypluginManagement
), like this:It makes sense that this is necessary - I assume I was using an older version of maven before (that was installed on the system), and that an update to maven caused the problem.