Nexus could not find signature of project's pom.xml

Question

I have uploaded a multi-module-project to central as a bundle.jar and this problem appears: So Nexus could not found the pom.asc.

But how can the file be missing if it is available under

Please don't make links on images...better paster messages etc. into the post... — khmarbaise, Oct 05 '16 at 06:18
@khmarbaise I have no idea what to write to make it understandable. It was hard enough to go all the way down to this. I fear if I data-obfuscate the link, someone will throw a "Hey the link does not resolve a certificate". Or its closed by not-reproducable. — Grim, Oct 05 '16 at 06:34
No idea, but I have a working multimodule project that I push to Central here: https://github.com/timmolter/XChart. Maybe comparing what you have could lead to a clue... — herrtim, Oct 05 '16 at 07:41
@A_Di-Matteo I do **not** deploy to central-nexus automatically (like *herrtim* did), I do deploy to the project's homepage via `mvn release:prepare release:perform` having the `` set in the main-pom. After deployment to project's homepage I call `mvn clean repository:bundle-create gpg:sign` to create the `*-0.9.12.pom.asc` and the `*-bundle.jar` and copy the asc-file on the project's homepage to the directory the error message specified (first screenshot) and upload the `*-bundle.jar` to the central-nexus. — Grim, Oct 08 '16 at 02:20

score 1 · Answer 1 · edited Jun 20 '20 at 09:12

According to your comments, you got this Nexus error after executing the following steps:

mvn release:prepare release:perform
mvn clean repository:bundle-create gpg:sign, which creates the *-0.9.12.pom.asc file and the *-bundle.jar

The error is most probably related to the steps above, which might not be the proper sequence to apply in this case, since:

The maven-repository-plugin plugin and its create-bundle goal would create an upload bundle for a Maven project. Note however that the generated *-bundle.jar file would not be attached to the Maven build (according to its sources), but simply generate the file in the project target folder
The maven-gpg-plugin and its sign goal would sign project artifact, the POM, and attached artifacts with GnuPG for deployment
You are invoking the clean phase in the second step of your executions, which basically means removing the content of the target folder after the release:perform operation.

As such:

You should verify the content of the bundle jar (due to the clean invocation)
You are actually not signing jar files (cleaned up by the clean invocation) nor the bundle (as per description above), although the mentioned error concerns the POM file and not the jar files
You are executing the gpg:sign from the command line, although the official examples state that:

Currently this is not easily accomplished. gpg signs the artifacts attached to the build at the point that gpg runs. However, we want to "inject" the gpg into the phases.
What MIGHT work is:
mvn verify gpg:sign install:install deploy:deploy   
However, if there are other plugins configured for phases after the verify phase, they will not be run.

(Note: bold is mine).

Hence, I would review the deployment process and follow standard procedures for signing project artifacts.

You say jar file**s** but its only one jar, what jar-files do you mean? Sure am I clean the target before `bundle-create` because I do not like to have snapshot-builds in the release (as you may notice the version is `0.9.12` and not `0.9.12-SNAPSHOT`). If the jar is not signed, the error-message would be different. The sign-process is not different to the standard-procedures, I only make that as a goal where your *standard-procedure* make it as part of the `pom.xml`. — Grim, Oct 09 '16 at 02:46
I spoke about jars because the release plugin would also create sources and javadoc jars as part of the release process, these jars are by default attached to the build and as such they are installed, deployed but also signed (as explained above). The sign process is different: the recommended approach is to include it into the pom file, during the verify phase, invoked after the package and before the install and deploy phases, from command line is not even assured it will work properly, according to official doc. — A_Di-Matteo, Oct 09 '16 at 07:26
Well, from my POV everything works great except the location of a file that *i already have* but not know where to place. — Grim, Oct 11 '16 at 17:58

Manfred Moser · Answer 2 · 2016-10-25T04:57:07.860

Besides the Activity tab in the repository manager you should also be able to browse to a Content tab. Check that out and see that within the folder of your GAV coordinate you find all the files. It seem that the staging rule did NOT find the file. Its probably not there (on the repository manager.. not your local filesystem!)

Please checkout our docs for further tips on how to set this all up with Maven including demo videos and fully working example projects.

Also if you get stuck please reach out to me directly or file an issue in our OSSRH jira project so I can investigate the specific deployment.

score 1 · Answer 3 · answered Jun 16 '20 at 11:55

For me, missing *.asc files caused signature error. I have installed gpg keys and send it to ssh server.

According to Deploying to OSSRH with Apache Maven - Introduction, we need add plugin nexus-staging-maven-plugin and nexus-staging-maven-plugin. Then, when you run maven clean deploy, it will release the package to repo.maven.apache.org(within half an hour).

here is a pom.xml sample

<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
    ...
    <build>
        <plugins>
            ...
            <plugin>
                <groupId>org.sonatype.plugins</groupId>
                <artifactId>nexus-staging-maven-plugin</artifactId>
                <version>1.6.7</version>
                <extensions>true</extensions>
                <configuration>
                    <serverId>ossrh</serverId>
                    <nexusUrl>https://oss.sonatype.org/</nexusUrl>
                    <autoReleaseAfterClose>true</autoReleaseAfterClose>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-gpg-plugin</artifactId>
                <version>1.5</version>
                <executions>
                    <execution>
                        <id>sign-artifacts</id>
                        <phase>verify</phase>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>

    <distributionManagement>
        <snapshotRepository>
            <id>ossrh</id>
            <url>https://oss.sonatype.org/content/repositories/snapshots/</url>
        </snapshotRepository>
        <repository>
            <id>ossrh</id>
            <url>
                https://oss.sonatype.org/service/local/staging/deploy/maven2/
            </url>
        </repository>
    </distributionManagement>
</project>

maven settings.xml

<!--maven connect nexus need user and password-->
<settings>
    <servers>
        <server>
            <id>ossrh</id>
            <username></username>
            <password></password>
        </server>
    </servers>

    <profiles>
        <profile>
            <id>ossrh</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <gpg.passphrase>gpg.passphrase
                </gpg.passphrase>
            </properties>
        </profile>
    </profiles>
</settings>

score 0 · Answer 4 · answered Oct 25 '16 at 06:03

0

I think this message is wrong. The .asc is not required, i will post a bug and will see what happens.

answered Oct 25 '16 at 06:03

Grim

1,938
10
56
123

did you post the issue? – Quy Tang Oct 26 '16 at 16:22
@QuyTang Could not be reproduced, I report what has happend. – Grim Apr 21 '17 at 16:06

Nexus could not find signature of project's pom.xml

4 Answers4