Publishing in maven central
Recently, I’ve published some artifacts to maven central for first time, and I would like to explain the problems and downsides I’ve faced.
First of all, you have to select a valid groupId, you can’t use anything you have invented, it must be based on a domain or place in internet you have in control. For example if you have a domain, mydomain.com your groupId should be com.mydomain. In my case, I don’t have a domain so I’m using my github user, com.github.tonivade.
After that, you have to create an issue in sonatype jira, asking for a new project. You have to provide some information like selected groupId, SCM URL, project URL, users to provide access, etc…
In 24 or 48 hours you will have a response, and if everything is ok, you can start to publish your artifacts. The credentials to publish in the repository are the same credentials you use to access the sonatype jira.
The requirements your artifacts must follow are simple, you have to provide, obiusly, a jar, but also a sources jar and a javadoc jar. And those files must be signed using a private key.
Signing is the most difficult thing I have to solve. The official plugin for maven, maven-gpg-plugin, it doesn’t work behind an automatic building tool, like jenkins. This plugin uses gpg command line tool, and that tool requieres access to a tty, so if you are running in a daemon you don’t have any tty. Well, but there’s a solution, maven-pgp-plugin. This plugin doesn’t need gpg command line tool as backend, it implements by itself the singing of artifacts. In any case, you need a key pair generated by gpg and upload it to a public repository. Detailed instructions here.
Another important thing is that your artifacts are not published directly to maven central. After deploying your artifacts they are placed in a temporal repository. You have to follow a workflow in order to promote your repo to maven central, after deploy you have to “close” the repo. This action launch a verification process that verifies that your artifacts are correct. If any of the requirements are not met, your deployment is rejected, so you have to retry again.
Well, that’s all, I hope this tips will help you. If you are interested, you can find my artifacts here.