incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <>
Subject Re: [VOTE] Approve release of SCA specification APIs by Tuscany project
Date Fri, 16 Mar 2007 00:43:42 GMT
On Thursday 15 March 2007 20:07, Jeremy Boynes wrote:
> There appears to be a bug in the gpg plugin for mvn. When I did this
> release I used gpg:sign as a goal on the command line and that
> consistently generates invalid keys for all except the last artifact
> (in this case the JavaDoc) even in the local repo. When I did the
> kernel modules I added a profile to the build which includes gpg:sign
> and for those all artifacts seem to have valid signatures.
> Rather than resign the deployed artifacts (just in case there is
> something squiffy going on), I'll pull them down, add a profile to
> the pom and then redeploy them.

I don't think there's a way to get the gpg:sign stuff to work outside of 
a profile and have it install/deploy correctly.  You MIGHT be able to 
get it to work on the command line via:

mvn verify gpg:sign install:install deploy:deploy

Basically, gpg:sign will sign the artifacts that are attached to the 
lifecycle at the point in the lifecycle that it runs.  (default is 
verify phase)    install/deploy then deploys those things.

It you tried it with:
mvn package gpg:sign deploy
that won't work.   The "package" will run a lifecycle up to package, then 
run gpg:sign signing those artifacts, but the deploy would then start 
another complete lifecycle which would rebuild the jars causing the 
signature to be invalid. The pom doesn't change in the second build 
which is why that sig is OK.

I'll try and update the gpg docs tomorrow.

J. Daniel Kulp
Principal Engineer
P: 781-902-8727    C: 508-380-7194

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message