Publish JAR To Central Maven Repository
- Steps to Publish to Central Maven Repository
- Configure POM File for Distribution Management
- Configure POM File for Nexus Staging Plugin
- Configure POM File for Sources
- Configure POM File for JavaDoc
- Configure POM File for Signing JAR Files
- Configure settings.xml
- Publish JAR File
To publish a JAR file with compiled Java classes to the Maven central repository you need to go through set of steps. This tutorial contains a checklist of what steps you need to take to be able to publish your Java project or product to the central Maven repository, along with comments about what you need to do, plus relevant links.
Publishing a JAR file to the central Maven repository makes that JAR file available to anyone using Maven to manage dependencies for their Java project. Thus, the central Maven repository is a handy way for open source projects to distribute the JAR files for their code. It is also a handy way for other types of public code to be shared, like an API for a SaaS or cloud platform. That client might not be open source, but it should still be easily and freely available to its users.
This is not a fully exhaustive manual for publishing to the Maven central repository, but this tutorial is a good place to start learning about what it takes. The official manual can be found here: Producers Guide to Publishing to Central Maven Repository. The official manual, however, is easy to "get lost" in - meaning you easily lose overview of what step you are at, and how many steps you need etc. Hopefully the checklist in this tutorial will help you get an overview and stay on course. Over time I will add more information to this tutorial, so it will become more and more helpful to you.
This guide is still "work in progress" ! Please be patient ! More information will follow as I dig it up!
Steps to Publish to Central Maven Repository
To publish JAR files to the central Maven repository there are 3 sets of steps you must go through. Each of these sets of steps are explained in the following sections.
Create a Sonatype Account and Claim your Namespace
Before you, or your organization, can publish anything to the central Maven repository, you will need to go through the following steps:
- Create account at Sonatype
- Claim your product's name space
These steps are a one-time setup process you need to go through.
Create and Publish PGP Keys
All JAR files published to the central Maven repository must be digitally signed using a PGP private key. To do so, you must create your own PGP private key / public key pair and publish the public key to a public key server. The private key you must keep to yourself. You need that to sign all JAR files that you want to publish to the central Maven repository. The public key is used to verify the signature by users downloading the JAR files from the central Maven repository. Creating the PGP key pair and publishing it requires the following steps:
- Create a PGP private / public key pair to sign your JAR files with
- Publish your key to public key server
The PGP private key will eventually expire. You don't need to "extend" the private key. You can just create a new and publish to the public key server when the old one expires. New releases are then signed with this new key pair.
You can find more information about creating and publishing a public key / priate key pair from the Sonatype producers page: https://central.sonatype.org/pages/producers.html. It can be a bit challenging to get it to work on windows, because Windows PGP shows a bit different output and behaves a little bit different than the examples shown in the official documentation. But keep searching around on the web, and you will eventually get it to work. I know I did.
Prepare Your Project Maven POM File
For each Java project you want to publish the JAR files of to the central Maven repository, you need to go through the following set of POM file configuration steps:
- Configure POM file with project coordinates
- Configure POM file with project name
- Configure POM file with project description
- Configure POM file with project URL
- Configure POM file with project license
- Configure POM file with project developers
- Configure POM file with project distribution management
Steps for the project POM - plugins:
- Configure POM file for Nexus staging plugin
- Configure POM file for Sources
- Configure POM file for JavaDoc
- Configure POM file for Signing
For a full POM file, check out the pom.xml in this github repository: RION Ops for Java GitHub Repository
Steps for your Maven settings.xml file:
- Configure Sonatype account login
- Configure PGP key used to sign JAR files
Configure POM File for Distribution Management
<distributionManagement> <snapshotRepository> <id>ossrh</id> <url>https://oss.sonatype.org/content/repositories/snapshots</url> </snapshotRepository> <repository> <id>ossrh</id> <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url> </repository> </distributionManagement>
Configure POM File for Nexus Staging Plugin
<plugin> <groupId>org.sonatype.plugins</groupId> <artifactId>nexus-staging-maven-plugin</artifactId> <version>1.6.7</version> <extensions>true</extensions> <configuration> <serverId>ossrh</serverId> <nexusUrl>https://oss.sonatype.org/</nexusUrl> <autoReleaseAfterClose>true</autoReleaseAfterClose> </configuration> </plugin>
Configure POM File for Sources
<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-source-plugin</artifactId> <version>2.2.1</version> <executions> <execution> <id>attach-sources</id> <goals> <goal>jar-no-fork</goal> </goals> </execution> </executions> </plugin>
Configure POM File for JavaDoc
<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-javadoc-plugin</artifactId> <version>2.9.1</version> <executions> <execution> <id>attach-javadocs</id> <goals> <goal>jar</goal> </goals> </execution> </executions> </plugin>
Configure POM File for Signing JAR Files
<plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> <version>1.5</version> <executions> <execution> <id>sign-artifacts</id> <phase>verify</phase> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin>
<settings> <localRepository>/maven-repo</localRepository> <servers> <server> <id>ossrh</id> <username>username</username> <password>password</password> </server> </servers> <profiles> <profile> <id>ossrh</id> <activation> <activeByDefault>true</activeByDefault> </activation> <properties> <gpg.executable>gpg2</gpg.executable> <gpg.passphrase>passphrase</gpg.passphrase> </properties> </profile> </profiles> </settings>
Publish JAR File
Once you have completed all of the above steps you are ready to release your JAR file. You do so via this Maven command:
mvn clean deploy
That's it! During the execution of this command you might be asked for the password for your PGP private key. At least, I am asked for that when running this (on Windows). Then I just type in my password and hit enter, and Maven continues the release and publication process.