Deploying to Maven Central

Deploying to Maven Central

As part of my Nearsoft Academy program I was asked to deploy an Open Source Java library to Maven Central. I hadn’t had done such thing before, so the first step was to research. And research. And …

I felt overwhelmed with all the information, tutorials and articles I found about the topic. I had no idea how to filter all that information. I couldn’t even decide which method or tools were better for what I was trying to do. After all that research, my partner and I came up with the solution.

This post is about how to prepare your project for Maven Central deployment.

Maven Central is the default repository for Apache Maven. It can easily be used from Ant, Gradle, and many other tools. Big name Open Source organizations publish their components, libraries, and frameworks to the Central repository.

Publish Your Project

The fact you are reading this article means you are looking to publish your project and conveniently make it available as a Maven dependency for thousands of developers. So, without further ado…

Here’s the list of requirements your project needs to meet,

  • Supply correct and complete Javadoc
  • Supply sources
  • Sign each file using GPG/PGP
  • Provide correct coordinates for the project (groupID, artifactID, version)
  • Project name, description, and URL
  • License information (MIT license could be used)
  • Developer information
  • SCM information (Github in this case)

For JavaDoc and source code, I highly recommend using the already existing Maven plugins called maven-javadoc-plugin and maven-source-plugin, respectively. Add each plugin into your pom.xml file.

All files deployed need to be signed with GPG/PGP. A .ASC file containing the signature must be included for each file.

The files you should deploy are,

  • example-1.0.0.pom
  • example-1.0.0.jar
  • example-1.0.0-sources.jar
  • example-1.0.0-javadoc.jar

The previous files will be automatically generated with the source and javadoc plugins we just installed.

The signed files you need to include are,

  • example-1.0.0.pom.asc
  • example-1.0.0.jar.asc
  • example-1.0.0-sources.jar.asc
  • Example-1.0.0-javadoc.jar.asc

To sign our files we need to download GPG from http://www.gnupg.org/download/. Depending on your system, use the GPG or GPG2 --version command to verify it has been properly installed. (I will stick with GPG2 commands from now on)

Create a Key

Now we proceed to create a key using this command,

gpg2 --gen-key

In response, you will be asked for,

  • Size, select 2048bit.
  • Encryption, RSA.
  • Time validity, select two years (i.e., that’s the convention).
  • Then, enter your name, description, and email.
  • Finally, choose a secure passphrase for your key.

To list your keys, use,

gpg2 --list-keys

The one piece of info that matters to us is the keyID. This is the long character chain starting with C3F2675.

Maven Central needs to verify our signed files with our public key. To publish your key, use the following commands,

gpg2 --keyserver hkp://pool.sks-keyservers.net --send-keys C3F26754EA46DE8767E5770B6624CAB739783EED

If you are not on the US, you will probably have trouble with this. Let me help you save hours of frustration,

gpg2 --keyserver hkp://ipv4.pool.sks-keyservers.net --send-keys C3F26754EA46DE8767E5770B6624CAB739783EED

Adding ipv4 to the domain should do the trick.

Sign Your Files

We are ready to sign our files. Let’s do this with a plugin called maven-gpg-plugin.

But for this plugin to work we need to modify the settings.xml file found on either of these two locations,

  • The Maven install: ${Maven.home}/conf/settings.xml
  • A user’s install: ${user.home}/.m2/settings.xml

Find it and add the following,

This is needed to tell Maven where to find all the required info to sign our files.

Since your project must be unique in Maven Central, you need to make sure to specify correct coordinates (groupID, artifactID, version). Also, developers will need to know how to find your project that is why project name, description, and URL need to be specified.

You also need to be specify the license info on the pom file. Since we are all about Open Source here, we can use the MIT license,

You also need to include a developers section,

Finally, you need to add to your Source Control System to your pom file.

Are We There, Yet?

Now we meet all the requirements Maven asks for. But we are missing something important.

Since we are looking to publish our Open Source project to the Maven Central repository, we will use the Open Source Software Repository Hosting. This is an approved repository provided by Sonatype. We will deploy to the OSSRH and our artifact will be available in the Central Repository.

For this we need to create a ticket with Sonatype,

Then adding some more configuration to our pom,

And some more configuration to authenticate using your recently created JIRA account to our settings.xml file.

At the end your pom file should look like this.

Note: The usage of <repositories> and <pluginRepositories> is strongly discouraged by Maven.

We have finished all configuration and we are ready to deploy to the staging repository after receiving an email notice indicating that your New Project ticket is Resolved.

If this is a release version (does not end in -SNAPSHOT and with the property autoReleaseAfterClose set to true), you can run a deployment to OSSRH and an automated release to the Central Repository with the usual,

mvn clean deploy

With the property autoReleaseAfterClose set to false you can manually inspect the staging repository in the Nexus Repository Manager and trigger a release of the staging repository later with,

mvn nexus-staging:release

Are We Done?

Finally, we are done. I really hope this article helps you.

Enjoy your public Maven repository, and see you soon!

If you have any questions, I can gladly answer you at [email protected].

Focus Mode

Contact Request

Close

We will call you right away. All information is kept private