I am having trouble signing maven artifacts for a new Derby release
(10.16.1.1). The details of the problem are described at
https://issues.apache.org/jira/browse/INFRA-23348. The release itself is
published on the Apache mirrors and can be downloaded from
https://db.apache.org/derby/releases/release-10_16_1_1.cgi. The Apache
distros listed on that web page have gpg signatures and SHA-512 checksums.
But our release process calls for unpacking the distros and publishing
the contained jar files to maven repositories, along with maven poms
which declare the dependencies between the jar files. This is where I am
stuck. I have managed to push the jars and poms to the Nexus repository
along with corresponding md5 and sha1 checksums. I have also gpg-signed
the jars and poms by hand. But I don't know how to push the signatures
to Nexus.
I would appreciate answers to the following questions:
1) Is publication to maven repositories required for Apache releases or
is publication to the mirrors good enough?
2) Are gpg signatures required for the maven artifacts staged at Nexus?
If not, then I will just release the artifacts and checksums into the
wild and wrap up the publication process.
2) But if maven publication is required and gpg signatures are
required...How do I debug my problem with using maven to push signatures
to Nexus? The maven error message is terse. No additional useful
information comes back when I run the maven command with -e and -X
switches. I haven't found any useful information on the web.
For the record, this is the command which fails...
mvn -Dgpg.passphrase="blah blah blah my passphrase" clean deploy
...and this is the error message I see:
[ERROR] Failed to execute goal
org.apache.maven.plugins:maven-gpg-plugin:1.3:sign (sign-artifacts) on
project derby-project: Exit code: 2 -> [Help 1]
org.apache.maven.lifecycle.LifecycleExecutionException: Failed to
execute goal org.apache.maven.plugins:maven-gpg-plugin:1.3:sign
(sign-artifacts) on project derby-project: Exit code: 2
Thanks,
-Rick
