Java – Maven ‘deploy’ causes code repackaging (bad signature) after signature operation
•
Java
I want to deploy an artifact to the sonatype OSS repository
The signature is invalid when deploying with the following command
mvn clean source:jar javadoc:jar install gpg:sign deploy
> gpg --verify target/security-versions-1.0.1.jar.asc gpg: assuming signed data in 'target/security-versions-1.0.1.jar' gpg: Signature made 10/20/15 11:45:50 Eastern Daylight Time using RSA key ID 63E38ACF gpg: BAD signature from "Philippe Arteau <philippe.arteau@gmail.com>" [ultimate]
If I delete the deployment target, the signature is good
mvn clean source:jar javadoc:jar install gpg:sign
> gpg --verify target/security-versions-1.0.1.jar.asc gpg: assuming signed data in 'target/security-versions-1.0.1.jar' gpg: Signature made 10/20/15 11:54:34 Eastern Daylight Time using RSA key ID 63E38ACF gpg: Good signature from "Philippe Arteau <philippe.arteau@gmail.com>" [ultimate]
I realized that after the marking operation, the jar was packed a second time How to deploy without breaking the signature?
Problematic operation:
[INFO] --- maven-gpg-plugin:1.5:sign (default-cli) @ security-versions --- You need a passphrase to unlock the secret key for user: "Philippe Arteau <philippe.arteau@gmail.com>" 4096-bit RSA key,ID 63E38ACF,created 2013-05-12 [...] [INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ security-versions --- [INFO] Building jar: C:\Code\workspace-java\maven-security-versions\target\security-versions-1.0.1.jar [INFO] [INFO] --- maven-plugin-plugin:3.2:addPluginArtifactMetadata (default-addPluginArtifactMetadata) @ security-versions --- [INFO] [INFO] --- maven-source-plugin:2.2.1:jar-no-fork (default) @ security-versions --- [INFO] Building jar: C:\Code\workspace-java\maven-security-versions\target\security-versions-1.0.1-sources.jar
The second part should not be completed because compilation and wrapping have occurred
Solution
You should not run installation and deployment at the same time Otherwise, you will run the packaging step twice
I recommend using deployment only Look at this post
The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
二维码