Publishing artifacts to Sonartype repo

Notes on publishing artifacts

As ever these notes are taken from all over the web and are here as a memory jogger for me, but perhaps others find them useful.

I admit its all a little painful and wierd to publish, but good to do at least once - or many times as I needed for all the little SackFix projects

PGP keys

Generates via Kleopatra

Jonathan Gibbons Jonathan@sackfix.org … Name: Jonathan Gibbons (www.sackfix.org jar key)

Never expires

Certificate created successfully. Fingerprint: …

Key ID: …

Finding the pgp keys

First of all you have to find them on the windows box:

Found where it stores the keys: C:\Users\Jonathan\AppData\Roaming\gnupg

Guessed after reading:

OK, the default location for the GnuPG home directory on Windows is %APPDATA%\GnuPG. This normally expands to C:\Documents and Settings<user>\Application Data\GnuPG.

GnuPG stores its configuration file, gpg.conf, here, as well as the 3 keyring files: pubring.gpg, secring.gpg, & trustdb.gpg.

If you’re going to relocate your keyring files, leave gpg.conf where it is, and just move the three *.gpg files. Then point gpg.conf to the location of the keyring files. Eg, assuming the TrueCrypt volume is mounted as O:,

no-default-keyring
keyring         O:\GnuPG\pubring.gpg
primary-keyring O:\GnuPG\pubring.gpg
secret-keyring  O:\GnuPG\secring.gpg
trustdb-name    O:\GnuPG\trustdb.gpg

Adding keys to SBT

To make my gpg pass phrase available, BUT not checked in, do this Edit C:\Users\Jonathan.sbt\0.13\plugins\pgp.sbt // OLD VERSION: addSbtPlugin(“com.jsuereth” % “sbt-pgp” % “1.0.0”) // in March 2021 this is: addSbtPlugin(“com.github.sbt” % “sbt-pgp” % “2.1.2”)

Edit C:\Users\Jonathan.sbt\0.13\pgp.sbt or C:\Users\Jonathan.sbt\1.0\pgp.sbt

and add

com.typesafe.sbt.pgp.PgpKeys.pgpSecretRing := file(“/Users/Jonathan/AppData/Roaming/gnupg/secring.gpg”)

com.typesafe.sbt.pgp.PgpKeys.pgpPublicRing := file(“/Users/Jonathan/AppData/Roaming/gnupg/pubring.gpg”)

com.typesafe.sbt.pgp.PgpKeys.pgpPassphrase := Some(Array(‘Y’,’o’,’u’,’r’,’P’,’a’,’s’,’s’,’w’,’o’,’r’,’d’))

Configure Sonartype

Edit C:\Users\Jonathan.sbt\0.13\sonartype.sbt

credentials += Credentials("Sonatype Nexus Repository Manager",
                           "oss.sonatype.org",
                           "YourLogin",
                           "YourPassword")

Building in SBT

sbt
>project sackfixcommon
>show */*:pgpSecretRing
>publish-signed
>publish-local-signed

Setting up the Sonartype repository

Create a new staging repository: sonatypeOpen “your groupId” “Some staging name” Sign and publish the library to the staging repository: publishSigned You can and should check the published artifacts in the Nexus Repository Manager (same login as Sonatype’s Jira account) Close the staging repository and promote the release to central: sonatypeRelease

sbt
>project sackfixcommon
# did not need this:  creates its own temp staging  >sonatypeOpen "org.sackfix" "sackfixstaging"
>publishSigned
NOW login to Nexus - take a look at the contents of the staging, drop any other staging area that are open etc.
https://oss.sonatype.org/#stagingRepositories
Search in search box for org.sackfix
I then clicked on the close box and said Ready to go, and finally can run:
>sonatypeRelease

Some random bits

http://www.scala-sbt.org/0.13/docs/Using-Sonatype.html

Add gpg.exe to the path:

To the project settings add:

useGpg := true

And validate using sbt >check-pgp-signatures