Sign with keystore then publish with maven-publish

jones · March 31, 2023, 6:42pm

I want to publish an Android library (.aar) to a Maven Repository. I manage to do it using the signing and maven-publish plugins. But the signing plugin does not seem to work with a keystore file: it seems to take something like this:

signing.keyId=24875D73
signing.password=secret
signing.secretKeyRingFile=/Users/me/.gnupg/secring.gpg

and what I have are a .keystore file, a keyAlias (which looks more like “key0” than a PGP key), then a store password and a key password.

So instead of using the signing plugin, I thought I could do something more like this:

tasks.whenTaskAdded { task ->
    if (task.name == 'assembleRelease') {
        def aarPath = "${project.buildDir}/outputs/aar/XXX-release.aar"

        task.doLast {
            ant.signjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword,
                    preservelastmodified: 'true')

            ant.verifyjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword)
        }
    }
}

This works when I do ./gradlew assembleRelease (i.e. I can verify with jarsigner that the aar is signed). But when I do ./gradlew publish, somehow my output aar is not signed. Which confuses me because I thought that the publish task would run the assembleRelease task, which would run the signing.

What am I missing? How can I sign my aar with a keystore and still push it to a Maven Repository?

jones · April 4, 2023, 1:42pm

I managed to make it work by changing the if condition to if (task.name == 'assembleRelease' || task.name == 'bundleReleaseAar') {. Apparently something changes between assembleRelease and publish.

Now my next problem is that when I try to publish that to Maven Central, it complains because of missing signatures: the *.aar.asc, *.pom.asc and .module.asc do not exist.

Is there a way to generate them from my keystore?

Vampire · April 4, 2023, 3:02pm

You are confusing signing with signing.
With your keystore you can do a jar-signing.
What Maven Central requires is, that you add a PGP signature for example by using the signing plugin.

jones · April 4, 2023, 8:42pm

Yeah I was slowly realizing this . It all makes sense now, thanks a lot!