Publishing Library in Maven Central [Part 2]
A step-by-step approach to streamline your deployments
In our previous blog post, we discussed where to publish the library, set up a Maven Central account, and walked you through adding and verifying the namespace and configuring the Gradle files using the Maven Publish plugin.
In this continuation, we will cover the remaining steps for publishing the library on Maven Central, which includes how to:
Table of Contents
8. Generate MD5 and SHA1 checksums
Maven Central requires that the artifacts be signed with GPG.
Step 6: Install and configure GPG
GPG provides the capability to generate a signature, manage keys, and verify signatures.
To install GPG, follow these steps:
1. Install GPG on your computer by running the command:
brew install gnupg
2. Verify the installed version of GPG:
gpg — version
3. Generate a key pair for signing artifacts:
A key pair allows you to sign artifacts with GPG, and users can subsequently validate that you have signed them. Generate a key pair with the following command.
gpg — gen-key
4. List the generated keys:
Once a key pair is generated, list them and any other keys installed.
gpg — list-keys
5. Generate a secring.gpg file:
Due to the latest changes in gpg, it no longer generates a secring.gpg file. However, the command below helps to generate the file:
gpg — keyring secring.gpg — export-secret-keys > ~/.gnupg/secring.gpg
6. Distribute your public key:
Since other people need your public key to verify your files, you have to distribute your public key to a key server.
Important: As the SKS Key server Network is being deprecated, Maven recommends using a specific GPG key server. Current GPG Key servers supported by Central Servers are:
- keyserver.ubuntu.com
- keys.openpgp.org
- pgp.mit.edu
gpg — keyserver keyserver.ubuntu.com — send-keys KeyId
--keyserver: Identifies the target key server address.--send-keys: Sends your public key to the specified server.KeyId: This is the unique identifier (also known as the key ID) of the GPG key you want to send. Every GPG key has a unique identifier associated with it, which helps identify it in the keyring
Now you can import your public key from the key server to the local machine.
gpg — keyserver keyserver.ubuntu.com — recv-keys keyId
Step 7: Sign the artifacts
Maven Central has the following requirements for the artifacts:
- ASCII Signature files
- MD5 Checksum files
- SHA1 Checksum files
After installing and configuring GPG successfully, you need to sign the artifacts using GPG.
There are a total of four files generated when you click the ‘PublishToMavenLocal’ task in the Publishing section of the Gradle window.
example-application-1.4.7.pom
example-application-1.4.7.jar
example-application-1.4.7-sources.jar
example-application-1.4.7-javadoc.jar
- Create an ASCII-formatted signature file for each file using the run the following gpg command:
gpg -ab example-application-1.4.7.pom
The -a option tells gpg to create ASCII output, the -b option tells gpg to make a detached signature.
GPG will create a signature file example-application-1.4.7.pom.asc for example-application-1.4.7.pom.
2. Repeat the command for each artifact file.
- example-application-1.4.7.pom
- example-application-1.4.7.pom.asc
- example-application-1.4.7.jar
- example-application-1.4.7.jar.asc
- example-application-1.4.7-sources.jar
- example-application-1.4.7-sources.jar.asc
- example-application-1.4.7-javadoc.jar
- example-application-1.4.7-javadoc.jar.asc
We have created all the signature files for the artifacts of mylibrary in the command terminal.
Now, we have the signature files of each artifact in the specified location: ‘/Users/home’ directory of current user ‘/.m2/repository/io/github/aparnatati471/mylibrary/1.0.0’.
Note:- .m2 is a hidden folder. Press Command + Shift + .(dot) to view and open it.
Step 8: Generate MD5 and SHA1 checksums
Maven also requires valid checksum files for each artifact. A valid checksum file contains a hex-encoded checksum value.
.md5and.sha1are required,.sha256and.sha512are supported but not mandatory.
For example, if you deploy the files:
- example-application-1.4.7.pom
- example-application-1.4.7.jar
- example-application-1.4.7-sources.jar
- example-application-1.4.7-javadoc.jar
you need to include the md5 and sha1 files, such as:
- example-application-1.4.7.pom
- example-application-1.4.7.pom.md5
- example-application-1.4.7.pom.sha1
- example-application-1.4.7.jar
- example-application-1.4.7.jar.md5
- example-application-1.4.7.jar.sha1
- example-application-1.4.7-sources.jar
- example-application-1.4.7-sources.jar.md5
- example-application-1.4.7-sources.jar.sha1
- example-application-1.4.7-javadoc.jar
- example-application-1.4.7-javadoc.jar.md5
- example-application-1.4.7-javadoc.jar.sha1
Here’s how to generate MD5 and SHA1:
1. Generate an MD5 file:
The MD5 file contains a 128-bit checksum value. To generate an MD5 file, run the following command in the terminal.
Steps:
- Open a command terminal
- Navigate to the directory containing the files you want to create MD5 files.
- Use the following command to generate an MD5 file for a specific file.
md5sum filename | cut -d ‘ ‘ -f 1 > filename.md5
- Replace
filenamewith the actual name of the file.
Explanation of the command:
md5sum filename: Calculates the MD5 hash of the specified file.|: Pipes the output of themd5sumcommand to thecutcommand.cut -d ' ' -f 1: Extracts only the first field (the MD5 hash value) from the output.> filename.md5: Redirects the extracted hash value to a new file namedfilename.md5.
4. Repeat this command for each file you want to create an MD5 file for.
Here, we generated MD5 files of all the artifacts.
2. Generate SHA1 file
The SHA1 file contains a 160-bit checksum value. To generate one, run the following command in the terminal.
Steps:
- Open a command terminal
- Navigate to the directory containing the files you want to create SHA1 files for.
- Use the following command to generate an SHA1 file for a specific file.
sha1sum filename | cut -d ‘ ‘ -f 1 > filename.sha1
Explanation of the command:
sha1sum filename: Calculates the SHA1 hash of the specified file.|: Pipes the output to thecutcommand.cut -d ' ' -f 1: Extracts the SHA1 hash value.> filename.sha1: Redirects the hash value to a file namedfilename.sha1.
4. Repeat this command for each file you want to create an SHA1 file for.
Here, we generated SHA1 files for all the artifacts.
As for generating signature files, MD5 and SHA1 files for the artifacts, your library will contain the following files.
Once you’ve fulfilled all the requirements for publishing artifacts on Maven Central, you can upload your components to the Maven Central Portal.
Step 9: Upload a bundle
The Maven central portal supports uploading a zip file containing your components and required files (metadata, checksums, signatures). We need to create a bundle of artifacts and upload the zip on the portal.
To create a bundle of artifacts, go to the repository folder under the .m2 folder → open the command terminal → run the following command.
zip release.zip io/github/aparnatati471/mylibrary/1.0.0/*
Explanation:
zip release.zip: This is the main command used to create a ZIP archive namedrelease.zip.io/github/aparnatati471/mylibrary/1.0.0: This is the path to a directory containing the files you want to archive.*: This is a wildcard character that matches any file or directory within the specified path (io/github/aparnatati471/mylibrary/1.0.0).
Here are the instructions for publishing the component:
- Go to Maven Central Portal → open the namespace tab → click the Publish Component button.
- Fill in all the deployment details, like the name and the description, and upload the zip file → click the Publish Component button.
- Enter a “Deployment Name.” This will help you identify what you’re attempting to publish (e.g., given that you’re publishing to Maven Central, you could add your coordinates, i.e., “your.groupId:your.artifactId:0.0.your-version”). You can also provide a longer, optional “Description”. Scroll to the bottom of the popup to find the Choose File button.
- Click the Choose File button → choose a file from your computer → click the Publish Component button to begin the upload.
- When you publish the components, Maven Central will validate the component, and the portal will show the status Validating.
- Validation will fail if your components do not meet any requirements. If this happens, you can drop deployment components.
- Once Maven Central successfully validates components and the state changes from Validating to Validated, click the Publish button to publish the components and make them available to the portal.
- Once the publishing process is completed, the state of your components will be changed from Publishing to Published.
- Once you’ve successfully published the library on Maven, it’s time to find your component on Maven Central Portal.
Conclusion
Maven Central is a great way to contribute your open-source artifacts, which developers can easily consume in their projects. By adhering to the outlined steps and best practices, you can successfully share your Android libraries on Maven Central, making them readily available for others to incorporate into their projects.
For more updates on the latest tools and technologies, follow the Simform Engineering blog.
