Manual

Manually Deploying to OSSRH - Introduction

In some cases, you have components created by tools not under your control, or you want to upload pre-existing components. You can deploy them directly to OSSRH in two ways:

• You can either sign and upload them with the Maven GPG plugin.
• You can sign them manually and create a bundle to upload.

This manual deployment process can also be used if you don't want to set up any of the build tools mentioned in the Deployment section of our step-by-step guide.

Note: As of February 2021, all new projects began being provisioned on https://s01.oss.sonatype.org/. If your project is not provisioned on https://s01.oss.sonatype.org/, you will want to login to the legacy host https://oss.sonatype.org/.

Signing Components

Let's say you want to sign and deploy these artifacts:

ossrh-test-1.2.pom
ossrh-test-1.2.jar
ossrh-test-1.2-javadoc.jar
ossrh-test-1.2-sources.jar

You can sign and upload them with the maven-gpg-plugin by running commands like this:

mvn gpg:sign-and-deploy-file -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -DpomFile=ossrh-test-1.2.pom -Dfile=ossrh-test-1.2.jar

for the jar itself. When you sign and deploy classifiers like sources and javadoc, you need to specify the -Dclassifier parameter.

mvn gpg:sign-and-deploy-file -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -DpomFile=ossrh-test-1.2.pom -Dfile=ossrh-test-1.2-sources.jar -Dclassifier=sources
mvn gpg:sign-and-deploy-file -Durl=https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ -DrepositoryId=ossrh -DpomFile=ossrh-test-1.2.pom -Dfile=ossrh-test-1.2-javadoc.jar -Dclassifier=javadoc

The gpg plugin will use the packaging specified in your POM as the file extension. Alternatively you can specify -Dpackaging=jar and use the same syntax for other packaging values like war . Note that the value specified in -DrepositoryId , must match a server element in settings.xml, usually placed in ~/.m2, configured like this:

<settings>
  ...
  <servers>
    ...
    <server>
      <id>ossrh</id>
      <username>token-username</username>
      <password>token-password</password>
    </server>
  </servers>
  ...
</settings>

Do not use your login username and password in settings.xml

Please do not use your UI login username and password in settings.xml. Use the token that was previously generated.

Bundle Creation

Alternatively you can manually sign your artifacts, create a bundle, and upload it. Again, let's say you have the following artifacts:

ossrh-test-1.2.pom
ossrh-test-1.2.jar
ossrh-test-1.2-javadoc.jar
ossrh-test-1.2-sources.jar

You first need to sign each file. You can use GnuPG, a freely available implementation of the OpenPGP standard, to sign the files in your working directory by running commands like this:

gpg -ab ossrh-test-1.2.pom
gpg -ab ossrh-test-1.2.jar
gpg -ab ossrh-test-1.2-javadoc.jar
gpg -ab ossrh-test-1.2-sources.jar

More details about using GnuPG to generate signatures, manage keys, and verify signatures are available here.

You should then have:

ossrh-test-1.2.pom
ossrh-test-1.2.pom.asc
ossrh-test-1.2.jar
ossrh-test-1.2.jar.asc
ossrh-test-1.2-javadoc.jar
ossrh-test-1.2-javadoc.jar.asc
ossrh-test-1.2-sources.jar
ossrh-test-1.2-sources.jar.asc

You can then create a bundle named bundle.jar with a command like this:

jar -cvf bundle.jar ossrh-test-1.2.pom ossrh-test-1.2.pom.asc ossrh-test-1.2.jar ossrh-test-1.2.jar.asc ossrh-test-1.2-javadoc.jar ossrh-test-1.2-javadoc.jar.asc ossrh-test-1.2-sources.jar ossrh-test-1.2-sources.jar.asc

Once bundle.jar has been produced, log into OSSRH, and select Staging Upload in the Build Promotion menu on the left:

From the Staging Upload tab, select Artifact Bundle from the Upload Mode dropdown:

Then click the Select Bundle to Upload button, and select the bundle you just created:

Click the Upload Bundle button. If the upload is successful, a staging repository will be created, and you can proceed with releasing.