Is it necessary to sign JAR file with PGP signature to publish in Maven central?

2
votes

I have a simple JAVA application and I like to publish my JAR in maven central repository . On looking through the procedure it is mentioned that my JAR’s need to be signed with PGP signature.

https://maven.apache.org/repository/guide-central-repository-upload.html

Documentation mentioned that to guarantee that they are downloading the original artificat we must sign. If that’s the case is there any way to upload the JAR file in maven central without signing for testing purposes for uploading?

Also, my JAR is signed with code signed certificate. So, I really need this PGP signature? Since, Signing the JAR with certificate itself confirms that it was from trusted source. Do we really need this additional PGP signing? If so can anyone explain this.

I would appreciate if any solution for publishing in maven central without signing. Please advise me in this

Note: using gradle as build tool for publishing the JAR in maven central.

2
javamavengradlejarjar-signing

2 Answers

2
votes

Yes you do. It is necessary as it is their policy.

For a small open source developer the easiest thing to do is probably to register with https://central.sonatype.org/pages/ossrh-guide.html so you can push whenever you want after the initial registration.

2
votes

Yes. It is a strict requirement. There is no other solution.
It does not matter that you have signed with something else. It must be PGP, and in fact you must distribute/publish the public key into a public key server. Maven Central will need to pull your public key from one of several key servers.
Check this link: https://central.sonatype.org/publish/requirements/gpg/

For the purposes of testing, you can use gradlew publishToMavenLocal, which will "install" your library on your local machine. Normally this repo is at %HOME%\.m2\repository. In this case, you don't need to sign anything. It's quite straightforward, and everything should work as if your library had been uploaded to a centralized repo.

Then, on the project that imports your library for testing, just make sure to include the maven repository mavenLocal() alongside the other centralized repos:

build.gradle

repositories {
    mavenLocal()
    mavenCentral()
    jcenter()
}

There is also the maven repo jcenter to where it might be possible to upload without that pgp signature.

Lastly, I have heard about this private and supposedly free maven repository called repsy https://repsy.io/. I have never tried it, but I imagine you won't need to sign up the artefacts there. Might be useful for testing.