This post is the second part of the series “2:20 to Maven Central” – the complete guide to deploying artifacts to Maven Central.
In the previous post, we looked at how to prepare and verify your luggage (a.k.a the POM file). The next step on the way to Maven Central is verifying your identity.
You verify your identity by signing your artifacts and publishing your public key to a public PGP key server. Signing your artifacts is a requirement for publishing them to Maven Central. This is typically accomplished by creating a signing (OpenPGP) key.
But why, you may ask, do you have to verify your identity. The answer is simple, in order to maintain the integrity of the Maven central ecosystem. By signing your artifact, you are enabling anyone who uses artifacts from maven central to be able to verify that the packages they receive do indeed come from you and have not been modified in any way.
Before going into detail of how to do this, I will summarize the whole signing process here. Basically you create a GnuPG signing keypair containing the private and public keys. The private key is used to sign your artifact, while your public key must be hosted on a public PGP server, allowing anyone to be able to verify your artifacts.
In order to generate a new keypair, you need to enter the following command in your terminal (assuming GnuPG is properly installed on your machine):
Follow the instructions at the command prompt and accept the default settings which are recommended. A few things to note:
You can leave the default key without an expiration date. It is possible to change the expiration date after creating the key, but it may be difficult to communicate it.
Choose a good passphrase and guard it carefully. If someone were to have access to your key, (bad things could happen)™.
There are several GUI front-ends for GnuPG available which you could use to generate the key if you do not want to work on the command line.
Next you need to upload the public part of your generated key to a public PGP server. Uploading can be done with the following command in your terminal:
gpg –keyserver pgp.mit.edu –send-key <keyID>
The Key ID looks something like 5DED768A and is also the name of the key file which is generated
PGP keys are forever. Once you upload a key, you cannot remove it anymore. You may however generate a revocation certificate to let others know that the key is invalid. The MIT PGP public key server FAQ is a good read.
Once you have created and uploaded your key, you should now configure maven to use your key for signing your artifacts. For this, there is the maven-gpg-plugin (note that the gpg command must be available from your terminal when using this plugin).
Ideally we want the artifact to be signed only when we are performing a release, not during development builds. We therefore specify in the POM file that we want signing to be activated only for releases. This is accomplished by adding the following profile to your POM file:
Now you’re all set. When performing a release build, you will be prompted for your passphrase and the artifact will be signed using your GnuPG key.
Having built and signed the artifacts, the next step would be boarding the train to Maven Central.