我想将一个工件部署到Sonatype OSS存储库.
使用以下命令部署时,签名无效.
mvn clean source:jar javadoc:jar install gpg:sign deploy
> gpg --verify target/security-versions-1.0.1.jar.asc
gpg: assuming signed data in 'target/security-versions-1.0.1.jar'
gpg: Signature made 10/20/15 11:45:50 Eastern Daylight Time using RSA key ID 63E38ACF
gpg: BAD signature from "Philippe Arteau " [ultimate]
如果我删除部署目标,则签名是好的.
mvn clean source:jar javadoc:jar install gpg:sign
> gpg --verify target/security-versions-1.0.1.jar.asc
gpg: assuming signed data in 'target/security-versions-1.0.1.jar'
gpg: Signature made 10/20/15 11:54:34 Eastern Daylight Time using RSA key ID 63E38ACF
gpg: Good signature from "Philippe Arteau " [ultimate]
我意识到,在标志操作之后,罐子被第二次打包.
如何在不破坏签名的情况下进行部署?
有问题的操作:
[INFO] --- maven-gpg-plugin:1.5:sign (default-cli) @ security-versions ---
You need a passphrase to unlock the secret key for
user: "Philippe Arteau "
4096-bit RSA key, ID 63E38ACF, created 2013-05-12
[...]
[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ security-versions ---
[INFO] Building jar: C:\Code\workspace-java\maven-security-versions\target\security-versions-1.0.1.jar
[INFO]
[INFO] --- maven-plugin-plugin:3.2:addPluginArtifactMetadata (default-addPluginArtifactMetadata) @ security-versions ---
[INFO]
[INFO] --- maven-source-plugin:2.2.1:jar-no-fork (default) @ security-versions ---
[INFO] Building jar: C:\Code\workspace-java\maven-security-versions\target\security-versions-1.0.1-sources.jar
由于编译和包装已经发生,因此不应该完成第二部分.