Hi Fred,
JAR signing of the bundles and GPG-signing of the Maven artifacts are two different steps. Once a jar has been "jar-signed", you may or may not GPG sign the corresponding Maven artifact (.jar + .pom file) so as it can be deployed on Central. As you hinted, JAR signing has to be done before the GPG signing, since doing it the other way around would break the GPG signature.
So you first have to sign your org.eclipse.m2e.workspace.cli JAR file with the Eclipse Fdn certificate, either using the Maven plugin from CBI, the command line utility, or the signing web service – see [1].
Once you have your signed JAR, you can GPG sign it and stage it on Central like this:
mvn gpg:sign-and-deploy-file
> -DpomFile=target/myapp-1.0.pom
> -Dfile=target/myapp-1.0.jar
> -Durl=http://oss.sonatype.org/service/local/staging/deploy/maven2/
> -DrepositoryId=sonatype_oss
I hope this helps. FWIW we are trying to improve our GPG signing story and provide more guidance to projects regarding GPG in general so stay tuned…
Hope this helps!
Benjamin Cabé
Eclipse Foundation
+33 (0) 619196101
Hi,
Do you have any recommended strategy to make both Central and Eclipse happy, signature-wise? Won't signing a jar break the 1st signature?
Yes this is totally not my area of expertise :-)
Fred
--
"Have you tried turning it off and on again" - The IT Crowd
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev