Original published on https://seriouszyx.com/archives/36/
Recently, I participated in some open source projects, involving issues related to version distribution. I didn't see detailed and outdated tutorials, so I investigated and explored myself and summarized this article.
This paper mainly refers to Official documents Write and demonstrate that the warehouse is located in https://github.com/seriouszyx/maven-release-example.
preparation
Coordinates
Maven identifies the project space with groupid and names it in reverse order. The following are two examples of naming. If you have your own domain name, you can use it directly; If not, you can use code such as github to host the domain name of the service.
- www.seriouszyx.com -> com.seriouszyx
- github.com/seriouszyx -> io.github.seriouszyx
The following is a code hosting service that supports personal groupid. Assuming io.github.myusername is used, a public warehouse named OSSRH-TICKETNUMBER needs to be created for verification (it can be deleted after successful verification). If you use your own domain name, you also need to add TXT resolution, which will be mentioned later.
servicegroupidRelated documentsGitHubio.github.myusernamehttps://pages.github.com/GitLabio.gitlab.myusernamehttps://about.gitlab.com/stages-devops-lifecycle/pages/Giteeio.gitee.myusernamehttps://gitee.com/help/articles/4136Bitbucketio.bitbucket.myusernamehttps://support.atlassian.com/bitbucket-cloud/docs/publishing-a-website-on-bitbucket-cloud/SourceForgeio.sourceforge.myusernamehttps://sourceforge.net/p/forge/documentation/Project%20Web%20Services/
artifactId is used to identify the project itself. If the project name is very long, you can use "-" to separate it.
GPG
Publishing components to Maven central warehouse requires PGP for signature. GnuPG (also known as GPG) is the implementation of OpenPGP. You need to create your own key value pairs first, and then upload them to the server for verification.
from https//www.gnupg.org/download/ Download the installation and check with the -- version flag.
$ gpg --version gpg (GnuPG) 2.2.28 libgcrypt 1.8.8 Copyright (C) 2021 g10 Code GmbH License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: C:/Users/Yixiang Zhao/AppData/Roaming/gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
After successful installation, a key value pair is generated. In the process, you need to fill in the name, mailbox and password. The validity period of the key is 2 years. At that time, you need to use the password to extend the validity period. You can see that my public key id is 444D548E4E29746B4E2C89FC89985FBD3651A87B.
$ gpg --gen-key gpg (GnuPG) 2.2.28; Copyright (C) 2021 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Yixiang Zhao Email address: [email protected] You selected this USER-ID: "Yixiang Zhao <[email protected]>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 89985FBD3651A87B marked as ultimately trusted gpg: directory 'C:/Users/Yixiang Zhao/AppData/Roaming/gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as 'C:/Users/Yixiang Zhao/AppData/Roaming/gnupg/openpgp-revocs.d\444D548E4E29746B4E2C89FC89985FBD3651A87B.rev' public and secret key created and signed. pub rsa3072 2021-10-14 [SC] [expires: 2023-10-14] 444D548E4E29746B4E2C89FC89985FBD3651A87B uid Yixiang Zhao <[email protected]> sub rsa3072 2021-10-14 [E] [expires: 2023-10-14]
The next steps need to be verified by your public key, so upload it to the server. Note -- send keys is followed by your own public key.
$ gpg --keyserver keyserver.ubuntu.com --send-keys 444D548E4E29746B4E2C89FC89985FBD3651A87B gpg: sending key 89985FBD3651A87B to hkp://keyserver.ubuntu.com
Wait about ten minutes to verify whether the public key is successfully published.
$ gpg --keyserver keyserver.ubuntu.com --recv-keys 444D548E4E29746B4E2C89FC89985FBD3651A87B gpg: key 89985FBD3651A87B: "Yixiang Zhao <[email protected]>" not changed gpg: Total number processed: 1 gpg: unchanged: 1
Create Issue in Sonatype
If developers want to publish components to Maven central warehouse, they need to use sonatype's open source software repository hosting (ossrh) service. Sonatype uses JIRA to manage requests, so it needs to first Registered account.
After registering, you can Create a new Issue (also known as Project ticket in the document), you can refer to the test Issue I created OSSRH-74121.
At this time, it is necessary to conduct manual review, add the assigned number OSSRH-74121 to the TXT resolution of the domain name, or create a public library named OSSRH-74121 in GitHub and other managed services. After waiting for about an hour or two, I passed the audit and the Status became RESOLVED.
Configure publishing information
This article uses Maven as an example to publish its own Java package. If you use Gradle, Ant and other tools, you can refer to the official documents.
Distribution management and certification
Add the following configuration in pom.xml to enable publishing to the OSSRH Nexus Repository Manager using the Nexus Staging Maven plugin.
<distributionManagement> <snapshotRepository> <id>ossrh</id> <url>https://s01.oss.sonatype.org/content/repositories/snapshots</url> </snapshotRepository> <repository> <id>ossrh</id> <url>https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/</url> </repository> </distributionManagement> <build> <plugins> <plugin> <groupId>org.sonatype.plugins</groupId> <artifactId>nexus-staging-maven-plugin</artifactId> <version>1.6.8</version> <extensions>true</extensions> <configuration> <serverId>ossrh</serverId> <nexusUrl>https://s01.oss.sonatype.org/</nexusUrl> <autoReleaseAfterClose>true</autoReleaseAfterClose> </configuration> </plugin> ... </plugins> </build>
The following is the JIRA account information required for publishing, which is written to Maven's setting.xml file (usually located in ~ /. m2).
<settings> <servers> <server> <id>ossrh</id> <username>your-jira-id</username> <password>your-jira-pwd</password> </server> </servers> </settings>
Note that the id here is the same as the id in the snapshot repository / repository and the id in the plugin, both of which are ossrh.
Javadoc and source code
In order to generate Javadoc and source jar files, you need to add the following configuration in pom.xml.
<build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-source-plugin</artifactId> <version>2.2.1</version> <executions> <execution> <id>attach-sources</id> <goals> <goal>jar-no-fork</goal> </goals> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-javadoc-plugin</artifactId> <version>2.9.1</version> <executions> <execution> <id>attach-javadocs</id> <goals> <goal>jar</goal> </goals> </execution> </executions> </plugin> </plugins> </build>
GPG signature component
The Maven GPG plug-in uses the following configuration to sign components.
<build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> <version>1.5</version> <executions> <execution> <id>sign-artifacts</id> <phase>verify</phase> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin> </plugins> </build>
And configure the gpg running file and password in setting.xml.
<settings> <profiles> <profile> <id>ossrh</id> <activation> <activeByDefault>true</activeByDefault> </activation> <properties> <gpg.executable>D:/Work/GnuPG/bin/gpg.exe</gpg.executable> <gpg.passphrase>the_pass_phrase</gpg.passphrase> </properties> </profile> </profiles> </settings>
If you want to release the official version, you also need to configure the project name, description, developer and other information in pom.xml.
<name>maven-release-example</name> <description>Example project to deploy maven projects.</description> <url>https://github.com/seriouszyx/maven-release-example</url> <licenses> <license> <name>MIT</name> <url>https://opensource.org/licenses/MIT</url> </license> </licenses> <developers> <developer> <name>Yixiang Zhao</name> <email>[email protected]</email> <organization>seriouszyx</organization> <organizationUrl>https://seriouszyx.com/</organizationUrl> </developer> </developers> <scm> <connection>scm:git:https://github.com/seriouszyx/maven-release-example.git</connection> <developerConnection>scm:git:https://github.com/seriouszyx/maven-release-example.git</developerConnection> <url>https://github.com/seriouszyx/maven-release-example</url> </scm>
release
Change the version number in pom.xml to 1.0.0, and run mvn clean deploy in the project root directory to publish. After successful publishing, the components will be stored in a temporary repository, which is only open to team members https://s01.oss.sonatype.org/ Visit, click the upper right corner to log in to the JIRA account, search the newly released components, and you can query the relevant information.
Because the autoReleaseAfterClose attribute in the maven plug-in nexus staging maven plugin was set to true, it was automatically uploaded to the staging repository, and the three steps of close - > release - > drop were automatically executed. After waiting for two hours, you can https://search.maven.org I got it.
Add dependencies in pom.xml of the new project to use the methods in the jar package.
<dependency> <groupId>com.seriouszyx</groupId> <artifactId>maven-release-example</artifactId> <version>1.0.0</version> </dependency>