Manual Staging Bundle Creation and Deployment

Introduction

In some cases, you have components created by tools not under your control, or you want to upload pre-existing components. You can deploy them directly to OSSRH in two ways:

  • You can either sign and upload them with the Maven GPG plugin.
  • You can sign them manually and create a bundle to upload.

This manual deployment process can also be used if you don't want to set up any of the build tools mentioned in the Deployment section of our step-by-step guide.

Signing Components

Let's say you want to sign and deploy these artifacts:

ossrh-test-1.2.pom
ossrh-test-1.2.jar
ossrh-test-1.2-javadoc.jar
ossrh-test-1.2-sources.jar

You can sign and upload them with the maven-gpg-plugin by running commands like this:

$ mvn gpg:sign-and-deploy-file -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -DpomFile=ossrh-test-1.2.pom -Dfile=ossrh-test-1.2.jar

for the jar itself. When you sign and deploy classifiers like sources and javadoc, you need to specify the -Dclassifier parameter.

$ mvn gpg:sign-and-deploy-file -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -DpomFile=ossrh-test-1.2.pom -Dfile=ossrh-test-1.2-sources.jar -Dclassifier=sources
$ mvn gpg:sign-and-deploy-file -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -DpomFile=ossrh-test-1.2.pom -Dfile=ossrh-test-1.2-javadoc.jar -Dclassifier=javadoc

The gpg plugin will use the packaging specified in your POM as the file extension. Alternatively you can specify -Dpackaging=jar and use the same syntax for other packaging values like war . Note that the value specified in -DrepositoryId , must match a server element in settings.xml configured like this:

<settings>
  ...
  <servers>
    ...
    <server>
      <id>ossrh</id>
      <username>your-jira-id</username>
      <password>your-jira-pwd</password>
    </server>
  </servers>
  ...
</settings>

Bundle Creation

Alternatively you can manually sign your artifacts, create a bundle, and upload it. Again, let's say you have the following artifacts:

ossrh-test-1.2.pom
ossrh-test-1.2.jar
ossrh-test-1.2-javadoc.jar
ossrh-test-1.2-sources.jar

You first need to sign each file. You can use GnuPG, a freely available implementation of the OpenPGP standard, to sign the files in your working directory by running commands like this:

$ gpg -ab ossrh-test-1.2.pom
$ gpg -ab ossrh-test-1.2.jar
$ gpg -ab ossrh-test-1.2-javadoc.jar
$ gpg -ab ossrh-test-1.2-sources.jar

More details about using GnuPG to generate signatures, manage keys, and verify signatures are available here.

You should then have:

ossrh-test-1.2.pom
ossrh-test-1.2.pom.asc
ossrh-test-1.2.jar
ossrh-test-1.2.jar.asc
ossrh-test-1.2-javadoc.jar
ossrh-test-1.2-javadoc.jar.asc
ossrh-test-1.2-sources.jar
ossrh-test-1.2-sources.jar.asc

You can then create a bundle named bundle.jar with a command like this:

$ jar -cvf bundle.jar ossrh-test-1.2.pom ossrh-test-1.2.pom.asc ossrh-test-1.2.jar ossrh-test-1.2.jar.asc ossrh-test-1.2-javadoc.jar ossrh-test-1.2-javadoc.jar.asc ossrh-test-1.2-sources.jar ossrh-test-1.2-sources.jar.asc

Once bundle.jar has been produced, log into OSSRH, and select Staging Upload in the Build Promotion menu on the left:

OSSRH with Staging Upload Link

From the Staging Upload tab, select Artifact Bundle from the Upload Mode dropdown:

OSSRH with Artifact Bundle Chosen

Then click the Select Bundle to Upload button, and select the bundle you just created:

OSSRH with Upload Bundle Ready

Click the Upload Bundle button. If the upload is successful, a staging repository will be created, and you can proceed with releasing.