Nexus Repository Manager's Remove Snapshots scheduled task is not cleaning out timestamped artifact's associated GPG signature files?

2
votes

I am running a dockerized Nexus Repository Manager v2.13.0-01. I have artifacts in the Snapshot repository that I want to remove using the Remove Snapshots scheduled task. My parameters for this scheduled task is as follows.

  • Repository/Group : Snapshots (Repo)
  • Minimum snapshot count: 1
  • Snapshot retention (days): 1
  • Remove if released : (unchecked)
  • Grace period after release (days): 1
  • Delete immediately: (checked)

When I run this task, I am expecting at least 1 snapshot to be kept and all other snapshots older than 1 day to be removed. What I am noticing when I am on the Browse Storage tab is that all the .jar + .pom files are being removed including associated .md5 and .sha1 files. For example, the following files are removed.

  • my-artifact-0.0.1-20160705-020817-5-javadoc.jar
  • my-artifact-0.0.1-20160705-020817-5-javadoc.jar.md5
  • my-artifact-0.0.1-20160705-020817-5-javadoc.jar.sha1
  • my-artifact-0.0.1-20160705-020817-5-sources.jar
  • my-artifact-0.0.1-20160705-020817-5-sources.jar.md5
  • my-artifact-0.0.1-20160705-020817-5-sources.jar.sha1
  • my-artifact-0.0.1-20160705-020817-5.pom
  • my-artifact-0.0.1-20160705-020817-5.pom.md5
  • my-artifact-0.0.1-20160705-020817-5.pom.sha1
  • my-artifact-0.0.1-20160705-020817-5.jar
  • my-artifact-0.0.1-20160705-020817-5.jar.md5
  • my-artifact-0.0.1-20160705-020817-5.jar.sha1

However, the associated .asc, .asc.md5, and .asc.sha1 hashes are NOT being removed. For example,

  • my-artifact-0.0.1-20160705-020817-5.jar.asc
  • my-artifact-0.0.1-20160705-020817-5.jar.asc.md5
  • my-artifact-0.0.1-20160705-020817-5.jar.asc.sha1

The following are the 2 maven plugins that I use to publish to my SNAPSHOT repository in the pom.xml.

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-gpg-plugin</artifactId>
    <version>1.6</version>
    <executions>
      <execution>
        <id>sign-artifacts</id>
        <phase>verify</phase>
        <goals>
          <goal>sign</goal>
        </goals>
      </execution>
    </executions>
  </plugin>
  <plugin>
    <groupId>org.sonatype.plugins</groupId>
    <artifactId>nexus-staging-maven-plugin</artifactId>
    <version>1.6.7</version>
    <extensions>true</extensions>
    <configuration>
      <serverId>mycompanynexus</serverId>
      <nexusUrl>http://nexus.mycompanynexus.io/</nexusUrl>
      <autoReleaseAfterClose>true</autoReleaseAfterClose>
    </configuration>
  </plugin>

My distribution management section in the pom.xml looks like the following.

<distributionManagement>
 <snapshotRepository>
   <id>mycompanynexus</id>
   <url>http://nexus.mycompanynexus.io/content/repositories/snapshots/</url>
 </snapshotRepository>
 <repository>
  <id>mycompanynexus</id>
  <url>http://nexus.mycompanynexus.io/content/repositories/releases/</url>
 </repository>
</distributionManagement>

Not shown is my settings.xml where I supply the credentials for publishing to these repositories.

When I deploy, I simply type in mvn clean deploy with Maven v3.3.9.

As I was querying for solutions, I came across this blog post http://blog.sonatype.com/2010/01/how-to-generate-pgp-signatures-with-maven/, however, I don't know if I agree with not signing my SNAPSHOT artifacts (for if I didn't, then the GPG signatures and checksums would not be produced and I wouldn't have to worry about deleting them with the scheduled service). Moreover, OSSRH's guidelines illustrates signing SNAPSHOT artifacts. Maybe it is standard practice to NOT sign SNAPSHOT artifacts?

Any help is appreciated.

1
maven-3nexusgnupg

1 Answers

1
votes

For internal usage of Nexus Repository Manager it is probably not standard practice to sign artifacts with GPG - not released and not snapshots either. However for distribution to the Central Repository via OSSRH it is pretty common although probably also not standard.

Typically the GPG plugin usage is part of a release profile and that is often not use for snapshot deployments. So depending on your internal needs you should be okay to just not use GPG at all or just not for snapshot builds.

On the other hands the snapshot deletion scheduled task should work for that deletion. There were some changes with regards to performance and behaviour in the last releases though. I just tested this and it turns out there is a regression in 2.11+. We created an issue at https://issues.sonatype.org/browse/NEXUS-10460 . Please follow that for updates. Hopefully we will include a fix in the next release (2.14).

Update 2016-07-13: A patch is now available and fixed jar is attached to the linked issue.