This worked well for my project so far. I’m only publishing locally for today though. This should be much easier.
No offense to anyone here but this is really ass-backwards to make a maven-publishing plugin and not support signing. Is there any plans of doing this?
Yes, this is actually worked on in ticket https://github.com/gradle/gradle/issues/4943 which currently is part of milestone “4.8 RC1” so it might soon be easy.
While it actually is not that hard to do properly right now.
Some of the hoops others described in linked sites here are not necessary though.
You just have to apply the signing plugin, and do signing { sign configurations.archives }.
Then you add the JARs and the JAR and POM signatures to the publication and set the packaging with
publishing {
publications {
maven(MavenPublication) { publication ->
from components.java
artifact javadocJar
artifact sourcesJar
signArchives.signatures.each { signature ->
artifact(signature) {
extension signature.type
}
}
artifact(file("$buildDir/publications/$publication.name/pom-default.xml.asc")) {
extension 'pom.asc'
builtBy signArchives
}
pom {
packaging 'jar'
}
}
}
}
And finally take care about the POM being actually signed with
tasks.withType(GenerateMavenPom) {
signArchives.dependsOn it
signArchives.sign it.outputs.files.singleFile
}
That’s all that is necessary
The only dark part in this is the semi-hard-coding of the POM signature file path, as the GenerateMavenPom are added to the build at a time where the publishing extension cannot be modified anymore, so its configuration cannot be used for this.
And now with latest nightly (tested with https://services.gradle.org/distributions-snapshots/gradle-4.8-20180421000019+0000-bin.zip) it is finally just
signing {
sign publishing.publications
}
or with proper required check
signing {
required {
// signing is required if this is a release version and the artifacts are to be published
!version.toString().endsWith('-SNAPSHOT') && tasks.withType(PublishToMavenRepository).find {
gradle.taskGraph.hasTask it
}
}
sign publishing.publications
}
1 Like
Hi! I read your posts from Mat 2018 as saying that I need to use both posts, i.e. the 2nd signing option from the 2nd post, and the stuff referencing signArchives from the first post. When I do this, I get the message:
Could not get unknown property 'signArchives' for object of type org.gradle.api.publish.maven.internal.publication.DefaultMavenPublication.
Apparently it is not creating an “archives” configuration - where should I look? Also in https://docs.gradle.org/current/dsl/org.gradle.plugins.signing.SigningExtension.html , it says to use signPom, but also says that uploadArchives has been deprecated!
Help would be appreciated!
No, you read it wrongly. The first post is how to do it with the then latest release 4.7, the second post shows how to do it with the improvements in 4.8 which back then was only available as nightly build.
Also, if you read the documentation, everything is nicely described, including why signPom is deprecated and why you don’t need it: https://docs.gradle.org/current/userguide/signing_plugin.html
Or also the docs about publishing: https://docs.gradle.org/current/userguide/publishing_maven.html
Many thanks for getting back to me! “gradle build” now completes successfully, and so does “gradle publish” (I assume I have to do that also…) - however no repositories show up in Nexus Staging Repositories. My build.gradle is cobbled together from so many places that there are probably all sorts of dumb errors in it!
OTOH I can upload using Staging Upload, although I am not sure what signatures have to be uploaded, so I would rather have gradle build/publish take care of everything! So… can I put my gradle.build somewhere where people can look at it? TIA
Sure, put it e. g. on gist.github.com.
You can also look at one of my latest developed builds at https://github.com/Vampire/command-framework, but it is rather fancy, including publishing to GitHub releases, building release notes and so on.
Thanks, it would be great if you could look at it… It is at https://gist.github.com/jpaulm/339f9a4d91f7ab63d5fc891f2b36cd40
I am running gradle publish - not even sure if this is the right command - I couldn’t find it in the Gradle 6.2 documentation - except that it says it is still incubating!
TIA
Besides that I would recommend using the Gradle Wrapper even for the tiniest projects, where does it say it is incubating? That is probably outdated documentation. Here it is documented: https://docs.gradle.org/current/userguide/publishing_maven.html
And why do you expect publish to upload to Sonatype?
You configured it to publish to build/repos/releases or build/repos/snapshots.
Thanks so much for the feedback!
“Incubating” is in https://docs.gradle.org/current/dsl/org.gradle.api.artifacts.repositories.MavenArtifactRepository.html and elsewhere in the 6.2 documentation…
I do have a wrapper file, but I have been running Gradle using gradle, rather than gradlew… I also notice I don’t have a settings.gradle file - could this be a problem?
Thanks also for the tip about the outputs of the Maven publish function! Again it’s because I lifted the code from somewhere! I tried using the following in “publish”
url (version.endsWith(‘SNAPSHOT’) ? snapshotPublicationRepository : releasePublicationRepository) ,
and got the following error message:
Could not PUT ‘https://oss.sonatype.org/service/local/staging/deploy/maven2/com/jpaulmorrison/drawfbp/2.19.2/drawfbp-2.19.2.pom’. Received status code 401 from server: Unauthorized
what does this mean? Thanks!
TIA
Sorry, is this the right URL for releases? Thanks in advance!
Getting closer! I added credentials back, and I have successfully uploaded stuff to Sonatype. The publish ran successfully, but the staging close had a “4” on it.
However I only see two failures in the listed “contents”… Both say: Missing: no main jar artifact found in folder ‘/com/jpaulmorrison/drawfbp/2.19.2’ . One is for sources validation, and one is for javadoc… There are all sorts of references to these jar files in the build.gradle (all from Gradle 5.x), which are probably mostly wrong! It would be great if you could take a look at https://gist.github.com/jpaulm/69e70729db3e94e2bff063c602340602, and let me know how I should change these… or point me at an example…
Thanks for all your help! Tack för hjälpen (according to Google)
The only “incubating” I see there is for the allowInsecureProtocol property and nothing else.
Does it run with the correct (as in the one defined in the wrapper file) version then?
I never have Gradle installed, because I always use gradlew and use the wrapper from one project to bootstrap the next one if necessary.
I’d recommend to have one.
If there is none, Gradle searches all the way up to the file system root and bit sidewards for a settings file to see whether the project you start Gradle from is part of a multi-project build. If it finds one, it runs the settings phase and then checks whether it is part of that build and then runs as part of the multi-project build or standalone if not. You can spare all this searching and trying by simply providing a settings script.
And additionally you can define the root project name in the settings script and if none is there it depends on the directory where the build script is stored, so if you rename the folder, the project is called differently.
I also once had the problem that a settings script in a parent directory was found, but it had special requirements to evaluate properly which were not given and thus the whole build failed due to a totally unrelated file.
Well, usually that means that you didn’t provide proper credentials, or that you try to publish somewhere where you don’t have access.
Maybe be the latter here, I think the URL should just be https://oss.sonatype.org/service/local.
I usually don’t configure it manually but simply use the de.marcphilipp.nexus-publish plugin, it configures it properly without need to think or have boilerplate.
See above
What do you mean with “had a 4 on it”?
You didn’t configure to publish them.
How to do it correctly depends on the Gradle version.
If you e. g. use a recent version you don’t even need the manual task declarations but can simple tell Gradle to create them which automatically also adds them to the publication and thus published artifacts.
If you are on an older Gradle version, you have to add the manually declared artifacts manually to the publication.
I already have you the link to the documentation, read it for the version you use.
And I also gave you a link to one of my projects where you find examples. (with the old mechanism as it is not on latest Gradle yet).
How about actually reading documentation first?
Also you should probably stop raping this thread as your questions have now nothing at all to do with the topic.
Now you’re kidding me, right?
How about first asking Google where I live instead of assuming someones nationality just from his name? o_O
If you mean that I diverted the thread, you’re quite right… and I apologize. You did suggest I read the documentation, and I have to say it is extremely obscure… plus the Internet is crammed full of questions and answers relating to earlier versions of Gradle, so Googling for answers doesn’t work very well. Maybe I will be able to find some 6.2 working examples… otherwise I’ll just keep slogging!
Thanks for your help anyway,
J. Paul Rodker Morrison
Obscure?
Imho it is pretty good documentation, especially compared to other software documentations.
It is clear, concise, has good examples.
The page I linked you to already (https://docs.gradle.org/current/userguide/publishing_maven.html) even has a complete self-contained example of a build script that builds a library and publishes it including a javadoc artifact and a sources artifact and all signed.
Thanks, that definitely helped! Also your information that the URL should just be https://oss.sonatype.org/service/local seems to have done the trick! I now have an error-free list of activities showing on my Nexus Repository Manager page! Fantastic!
I am now using renovate, so I will be notified of future changes to Gradle, so hopefully I will not get so far behind in my releases!
One very minor comment: my log for “gradle publish” says “Settings evaluated using settings file ‘C:\Users\Paul\Documents\GitHub\drawfbp\settings.gradle’.” This file doesn’t exist, so it is a bit confusing!
Anyway, many thanks again for your help and patience!
Paul M.