Publish Artifacts to Maven Central
Using the remote repositories feature, you can publish Maven artifacts from a Space Packages repository to Maven Central.
To publish an artifact to Maven Central
Configure publishing of artifacts to a Space Packages repository according to the following guides:
Perform initial setup of your OSSRH repository:
Create a JIRA ticket for creating a new repository for your project. For example, like this one.
For details, refer to the official Sonatype documentation.
The artifacts published to Maven Central must be signed with PGP. To generate a signing key:
Download the GPG tool.
Generate a key by running:
gpg --gen-keyFor example:
PS C:\Program Files (x86)\GNU\GnuPG> .\gpg.exe --gen-key gpg (GnuPG) 1.4.23; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: John Doe Email address: johndoe@example.com Comment: sample key You selected this USER-ID: "John Doe (sample key) <johndoe@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .+++++ +++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ...+++++ ....+++++ gpg: C:/Users/John.Doe/AppData/Roaming/gnupg\trustdb.gpg: trustdb created gpg: key 8A37B4C1 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/8A37B4C1 2021-04-20 Key fingerprint = 31FE BA03 2679 13C3 5DDD B277 6176 785A 8A37 B4C1 uid John Doe (sample key) <johndoe@example.com> sub 2048R/EA490E42 2021-04-20
Configure signing for the project:
There is a number of ways to configure signing depending on your environment. For the details, refer to the official Gradle documentation. For example, this is how you can configure signing for your local builds:
Include the signing plugin into
build.gradle
:plugins { id 'signing' }Specify what to sign. For example, you can configure Gradle to sign all published artifacts. To do this, add to
build.gradle
:signing { sign publishing.publications }Add the signing key data to your local
gradle.properties
. For example:signing.keyId=24875D73 signing.password=pwd1234 signing.secretKeyRingFile=C:/Users/John.Doe/AppData/Roaming/gnupg/secring.gpgWhere
keyId
is the public key ID that you can get withgpg -K
.password
is the passphrase you used when creating the key.secretKeyRingFile
is the absolute path to the private key.
To build a signed artifact, run:
gradle signTo publish a signed artifact, run:
gradle publish
There is a number of ways to configure signing depending on your environment. For the details, refer to the official Maven documentation. For example, this is how you can configure signing for your local builds:
Include the Apache Maven GPG plugin into
pom.xml
:<project> ... <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> <version>1.6</version> <executions> <execution> <id>sign-artifacts</id> <phase>verify</phase> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin> </plugins> </build> ... </project>Add the signing key data to your local
settings.xml
. For example:<settings> [...] <servers> [...] <server> <id>gpg.passphrase</id> <passphrase>pwd1234</passphrase> </server> </servers> </settings>Where
passphrase
is the passphrase you used when creating the key. Note that this will work only in case you have a single (default) signing key. For more information on configuring the Maven GPG plugin, refer to the official documentation.To publish a signed artifact, run:
mvn deploy
In Space, open the repository where you published the signed artifacts.
Configure a remote repository:
In repository settings, open the Remote Repositories tab and click New remote repository.
Specify remote repository settings:
URL: the URL you got from Sonatype during the initial setup. Typically, it's
https://s01.oss.sonatype.org/content/repositories/snapshots/
for SNAPSHOT artifact versions orhttps://s01.oss.sonatype.org/service/local/staging/deploy/maven2/
for release versions. Learn more.In Authentication, select Basic and specify Username and Password you used to register in Sonatype JIRA.
Nexus Staging Profile: the profile you got during the initial setup. Space automatically connects to Sonatype Nexus using your credentials and shows you the list of available staging profiles.
Click Create.
Publish the required artifact to the remote repository (Maven Central):
In the package menu, choose Publish to remote repository.
In the list, select the mirror created on previous step and click Publish.