Thank you, this seems like what I needed. It turns out gpg-agent has to be used to sign.
Unfortunately the Internet bandwidth required to upload all the files is vast, so a Sanselan release is probably only going to happen in January. In the meanwhile, does my key have to linked into the web of trust before I can make a release? Damjan On Thu, Dec 15, 2011 at 7:05 PM, Simone Tripodi <simonetrip...@apache.org>wrote: > Hi Damjan! > > I suggest you approaching the wiki page[1] first to see how components > are released in commons, at least the described method is the one I > follow when proposing RCs. > > HTH, have a nice day! > -Simo > > [1] http://wiki.apache.org/commons/CreatingReleases > > http://people.apache.org/~simonetripodi/ > http://simonetripodi.livejournal.com/ > http://twitter.com/simonetripodi > http://www.99soft.org/ > > > > On Thu, Dec 15, 2011 at 5:58 PM, Damjan Jovanovic <damjan....@gmail.com> > wrote: > > Hi > > > > I promised to start the Sanselan release process early this week, but > I've > > been having problem after problem: > > > > 1. The instructions on http://commons.apache.org/releases/prepare.htmlsay > > that you run a variation of "mvn install" to build the release... but > this > > only generates the .jar files, not the src/bin zip/tar.gz/tar.bz2 files. > > > > 2. Running "mvn assembly:assembly" fails because my UTF-8 platform locale > > causes a multibyte bug in Plexus Archiver when writing a German sounding > > filename into the src tar file. I reported this 3 year old bug and > > submitted a patch (http://jira.codehaus.org/browse/PLXCOMP-195). How did > > you build Sanselan without this patch before? > > > > 3. Running "mvn assembly:assembly" with a manually patched Plexus > Archiver > > (and what a mission it was to figure out which of the 5 versions of > Plexus > > Archiver in my Maven repository is the one used...) does generate those > > other files, but doesn't sign them. > > > > 4. My attempts to manually sign the .jar file, or its md5 or sha1 hash, > > with gpg, generate different checksums than those generated by Maven. > Thus > > I cannot manually sign the zip/tar files. How is signing supposed to > work, > > what gets signed and how? > > > > 5. "mvn release" is so badly documented that I am scared to use it. When > I > > run it with -DdryRun=true, it hangs on [gpg:sign {execution: > > sign-artifacts}]. The child process launched by "mvn release:prepare" is > > launched without this parameter, and strace shows it stuck in read() on > fd > > 0 (stdin). Typing the passphrase and pressing enter does nothing. > > Redirecting stdin from a file with the passphrase also does nothing. > > Attempts to use -Dgpg.passphrase=... also do nothing, whether passed to > > directly "mvn" or quoted inside the -Darguments or both, and "ps fax" > shows > > that it isn't passed to the child process. > > > > Please help? > > > > Thank you > > Damjan > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > >
