Yup, your signatures are wrong, they are not detached as it seems but full payload?
[cstamas@infinity Downloads]$ gpg --verify dsiutils-2.7.3.jar.asc dsiutils-2.7.3.jar gpg: not a detached signature [cstamas@infinity Downloads]$ gpg --verify dsiutils-2.7.3.jar.asc gpg: Signature made 2023. márc. 7., kedd, 19:39:36 CET gpg: using RSA key 0CB5871FB7BF3B351614BBF6CA85FFE638D4407A gpg: Can't check signature: No public key [cstamas@infinity Downloads]$ invoke gpg with "--armor --detach-sign", this is what maven plugin does: https://github.com/apache/maven-gpg-plugin/blob/master/src/main/java/org/apache/maven/plugins/gpg/GpgSigner.java#L136-L138 Also, make sure your public key is available from SKS servers, as Sonatype Nexus will try to fetch it. HTH Tamas On Tue, Mar 7, 2023 at 7:39 PM Sebastiano Vigna <[email protected]> wrote: > > > > On 7 Mar 2023, at 17:23, Tamás Cservenák <[email protected]> wrote: > > > > Howdy > > > > Could you just invoke gpg cli (that's what maven gpg plugin does as well) > > and just add that file as type "jar.asc"? > > > > I tried that. Apart from a lot of manual fliddling (e.g., the new target > will upload pom.xml, but *not* its signature, etc.) at the end Sonatype > refuses to valide the signatures. Maybe I have to upload something more, > but this stuff was set up 20y ago and worked since then like a charm. > Delving again now in this mess without any migration path is really burning > me out. > > "Failed to validate the pgp signature of > '/it/unimi/dsi/dsiutils/2.7.3/dsiutils-2.7.3-javadoc.jar', check the logs." > > I have looked everywhere in the Sonatype web interface for such logs, with > no results :(. > > Ciao, > > seba > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
