OR博客
发包到Maven Central Repository流程分享
苗锦洲
创建于:2023-05-20 11:46:57
更新于:2024-10-06 20:55:10
上海
1
34
671
0
当我们使用构建工具构建项目时,引入依赖是很方便的。当我们想让他人使用自己的项目时,可以通过共享源码、打二进制包等方式。本文介绍了将JAVA项目发布到Maven中心仓库的流程,所用项目构建工具为Maven。

当我们使用构建工具构建项目时,引入依赖是很方便的。当我们想让他人使用自己的项目时,可以通过共享源码、打二进制包等方式。本文介绍了将 Java 项目发布到 Maven 中心仓库的流程,所用项目构建工具为 Maven。

1. 环境准备

1.1 申请权限

1.1.1 注册账号

Sign up for Jira - Sonatype JIRA

1.1.2 新建问题(jira)

创建问题

1.1.3 新建成功后等待结果即可

注意时区差异,我晚上申请的,10 来分钟就通过了
拒绝后会留言告诉你问题,往下翻可以看到活动日志,不需要重新创建 jira,改正后重新开启 jira 即可

1.2 安装配置 gpg

签名工具,确保文件未被篡改
参考:Working with PGP Signatures - The Central Repository Documentation (sonatype.org)

1.2.1 安装

下载地址:GnuPG - Download
mac 可以使用 homebrew 安装 brew install gnupg
安装后使用 gpg --version 验证

$ gpg --version gpg (GnuPG) 2.4.1 libgcrypt 1.10.2 Copyright (C) 2023 g10 Code GmbH License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/mylocaluser/.gnupg 支持的算法: 公钥: RSA, ELG, DSA, ECDH, ECDSA, EDDSA 密文: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 散列: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 压缩: 不压缩, ZIP, ZLIB, BZIP2
1.2.2 生成密钥对
$ gpg --gen-key gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Central Repo Test Email address: central@example.com You selected this USER-ID: "Central Repo Test <central@example.com>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 8190C4130ABA0F98 marked as ultimately trusted gpg: revocation certificate stored as '/home/mylocaluser/.gnupg/openpgp-revocs.d/CA925CD6C9E8D064FF05B4728190C4130ABA0F98.rev' public and secret key created and signed. pub rsa3072 2021-06-23 [SC] [expires: 2023-06-23] CA925CD6C9E8D064FF05B4728190C4130ABA0F98 uid Central Repo Test <central@example.com> sub rsa3072 2021-06-23 [E] [expires: 2023-06-23]
1.2.3 查看密钥对

CA925CD6C9E8D064FF05B4728190C4130ABA0F98 为 keyid

$ gpg --list-keys /home/mylocaluser/.gnupg/pubring.kbx --------------------------------- pub rsa3072 2021-06-23 [SC] [expires: 2023-06-23] CA925CD6C9E8D064FF05B4728190C4130ABA0F98 uid [ultimate] Central Repo Test <central@example.com> sub rsa3072 2021-06-23 [E] [expires: 2023-06-23]

如果有多个密钥对,则需要使用短 keyid(十六进制格式的 keyid)例如 0x3ABDEC12,配置在项目的 maven-gpg-plugin 插件里,用于指定所用密钥

$ gpg --list-signatures --keyid-format 0xshort /home/mylocaluser/.gnupg/pubring.kbx --------------------------------- pub rsa3072/0x3ABDEC12 2021-01-27 [SC] [expires: 2023-01-27] 74524542545300A398653AB5242798823ABDEC12 uid [ultimate] Other Name <otheremail@example.com> sig 3 0x3ABDEC12 2021-01-27 Other Name <alarconj@gmail.com> sub rsa3072 2021-01-27 [E] [expires: 2023-01-27] sig 0x3ABDEC12 2021-01-27 Julian Alarcon <alarconj@gmail.com> pub rsa3072/0x0ABA0F98 2021-06-23 [SC] [expires: 2022-03-21] CA925CD6C9E8D064FF05B4728190C4130ABA0F98 uid [ultimate] Central Repo Test <central@example.com> sig 3 0x0ABA0F98 2021-06-24 Central Repo Test <central@example.com> sub rsa3072/0x7C17C93B 2021-06-23 [E] [expires: 2023-06-23] sig 0x0ABA0F98 2021-06-23 Central Repo Test <central@example.com>
1.2.4 分发公钥

分发到公共服务器,使得他人能够验证文件的完整性,CA925CD6C9E8D064FF05B4728190C4130ABA0F98 为 keyid

gpg --keyserver keyserver.ubuntu.com --send-keys CA925CD6C9E8D064FF05B4728190C4130ABA0F98

可以发布到多个服务器

gpg --keyserver keys.openpgp.org --send-keys CA925CD6C9E8D064FF05B4728190C4130ABA0F98 gpg --keyserver pgp.mit.edu --send-keys CA925CD6C9E8D064FF05B4728190C4130ABA0F98

2. 更新配置

2.1 更新 Maven 配置 settings.xml

2.1.1 添加 ossrh 的 server
<settings> <servers> ... <!-- https://central.sonatype.org/publish/publish-maven/ --> <!-- ossrh --> <server> <id>ossrh</id> <username>${jira用户名}</username> <password>${jira密码}</password> </server> ... </servers> </settings>
2.1.2 添加 profile
<settings> ... <!-- ossrh-start --> <!-- https://central.sonatype.org/publish/publish-maven/#gpg-signed-components --> <profile> <id>ossrh</id> <activation> <activeByDefault>true</activeByDefault> </activation> <properties> <!-- 根据安装情况设置:gpg2/gpg --> <gpg.executable>gpg</gpg.executable> <gpg.passphrase>${生成密钥时填的密码}</gpg.passphrase> <maven-source-plugin.version>3.2.1</maven-source-plugin.version> <maven-javadoc-plugin.version>3.5.0</maven-javadoc-plugin.version> <maven-gpg-plugin.version>3.1.0</maven-gpg-plugin.version> <nexus-staging-maven-plugin.version>1.6.13</nexus-staging-maven-plugin.version> <gpg.keyname>${短keyid}</gpg.keyname> </properties> </profile> <!-- 禁用注释检查 --> <profile> <id>disable-javadoc-doclint</id> <activation> <jdk>[1.8,)</jdk> </activation> <properties> <javadoc.opts>-Xdoclint:none</javadoc.opts> </properties> </profile> <!-- 自动发包 --> <profile> <id>ossrh-release-auto</id> <properties> <auto-release-after-close>true</auto-release-after-close> </properties> </profile> <profile> <id>ossrh-release-manually</id> <properties> <auto-release-after-close>false</auto-release-after-close> </properties> </profile> <!-- ossrh-end --> </profiles> ... </settings>

2.2 更新项目配置 pom.xml

2.2.1 添加 meta 配置
<project> ... <name>ordinaryroad-bilibili-live</name> <description>使用Netty来连接B站直播间的弹幕信息流Websocket接口</description> <url>https://github.com/1962247851/ordinaryroad-bilibili-live</url> <licenses> <license> <name>The MIT License</name> <url>https://opensource.org/license/mit/</url> <distribution>repo</distribution> </license> </licenses> <scm> <url>https://github.com/1962247851/ordinaryroad-bilibili-live</url> <connection>scm:git:https://github.com/1962247851/ordinaryroad-bilibili-live.git</connection> <developerConnection>scm:git:https://github.com/1962247851/ordinaryroad-bilibili-live</developerConnection> </scm> <developers> <developer> <name>OrdinaryRoad</name> <email>or-mjz@qq.com</email> <url>https://github.com/1962247851</url> <timezone>UTC+08:00</timezone> </developer> </developers> ... </project>
2.2.2 添加插件配置
<project> <build> <plugins> ... <!-- 发包相关插件-start --> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-source-plugin</artifactId> <version>${maven-source-plugin.version}</version> <executions> <execution> <id>attach-sources</id> <goals> <goal>jar-no-fork</goal> </goals> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-javadoc-plugin</artifactId> <version>${maven-javadoc-plugin.version}</version> <configuration> <encoding>UTF-8</encoding> <charset>UTF-8</charset> <docencoding>UTF-8</docencoding> </configuration> <executions> <execution> <id>attach-javadocs</id> <goals> <goal>jar</goal> </goals> <configuration> <additionalJOption>${javadoc.opts}</additionalJOption> </configuration> </execution> </executions> </plugin> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> <version>${maven-gpg-plugin.version}</version> <executions> <execution> <id>sign-artifacts</id> <phase>verify</phase> <goals> <goal>sign</goal> </goals> <configuration> <keyname>${gpg.keyname}</keyname> <passphraseServerId>${gpg.keyname}</passphraseServerId> </configuration> </execution> </executions> </plugin> <plugin> <groupId>org.sonatype.plugins</groupId> <artifactId>nexus-staging-maven-plugin</artifactId> <version>${nexus-staging-maven-plugin.version}</version> <extensions>true</extensions> <configuration> <serverId>ossrh</serverId> <nexusUrl>https://s01.oss.sonatype.org/</nexusUrl> <autoReleaseAfterClose>${auto-release-after-close}</autoReleaseAfterClose> </configuration> </plugin> <!-- 发包相关插件-end --> </plugins> </build> </project>

3. 发包

3.1 deploy 时自动发布

ide 中找到 Maven 的 Profiles 选项,选中 ossrh-release-auto,相当于 mvn xxx -P ossrh-release-auto
Pastedimage20230520101428.png

效果与将 nexus-staging-maven-pluginautoReleaseAfterClose 设置为 true 一样

... <plugin> <groupId>org.sonatype.plugins</groupId> <artifactId>nexus-staging-maven-plugin</artifactId> <version>${nexus-staging-maven-plugin.version}</version> <extensions>true</extensions> <configuration> <serverId>ossrh</serverId> <nexusUrl>https://s01.oss.sonatype.org/</nexusUrl> <autoReleaseAfterClose>true</autoReleaseAfterClose> </configuration> </plugin> ...

在控制台或者 ide 执行 mvn clean deploy 后等待即可,发布成功后 jira 问题中会添加一条评论

mvn clean deploy

3.2 deploy 后手动发布

Pastedimage20230520101634.png

相当于将 nexus-staging-maven-pluginautoReleaseAfterClose 设置为 false

... <plugin> <groupId>org.sonatype.plugins</groupId> <artifactId>nexus-staging-maven-plugin</artifactId> <version>${nexus-staging-maven-plugin.version}</version> <extensions>true</extensions> <configuration> <serverId>ossrh</serverId> <nexusUrl>https://s01.oss.sonatype.org/</nexusUrl> <autoReleaseAfterClose>false</autoReleaseAfterClose> </configuration> </plugin> ...

成功后只是暂存了,需要手动选择发布还是取消发布

  • 控制台方式

确定发布

mvn nexus-staging:release

取消发布

mvn nexus-staging:drop

4. 其他项目引用

刚发布 Maven Central - Search (sonatype.com)可能还搜不出来,可以先在这里面搜索使用
Pastedimage20230520104707.png

4.1 引入快照 SNAPSHOT

<repositories> <repository> <id>ossrh-SNAPSHOT</id> <url>https://s01.oss.sonatype.org/content/repositories/snapshots/</url> <snapshots> <enabled>true</enabled> </snapshots> </repository> </repositories>

相关链接

  1. Sign up for Jira - Sonatype JIRA
  2. GnuPG - Download
  3. Working with PGP Signatures - The Central Repository Documentation (sonatype.org)
  4. Configuring Your Project for Deployment (sonatype.com)
  5. Nexus Repository Manager (sonatype.org)
  6. Maven Central - Search (sonatype.com)

2024 年发包流程更新

https://central.sonatype.org/publish/publish-portal-maven/

  1. 迁移账号,添加并验证 namespace
  2. 更新账号凭证

image.png

  1. 更新发包插件
<build> <plugins> <plugin> <groupId>org.sonatype.central</groupId> <artifactId>central-publishing-maven-plugin</artifactId> <version>0.6.0</version> <extensions>true</extensions> <configuration> <publishingServerId>central</publishingServerId> <autoPublish>true</autoPublish> </configuration> </plugin> <plugins> </build>
  1. mvn clean deploy

image.png

评论