Introduction to Maven Publishing
I have written a small series of articles about publishing open source artifacts to Maven Central*. This is probably the most common way to publish open source artifacts for Java and other JVM based languages, like Scala and Kotlin.
If you’ve ever wondered how open source dependencies you rely on are pulled in by your build tool, then I hope this article will be of help.
*Maven is not the only solution. Apache Ivy is another commonly used publishing standard.
Quick Introduction to Maven
Apache Maven has 2 main elements:
- A build tool
- A distributed hosted service with published artifacts
The Maven build tool is not my favorite. Almost all build tools that support JVM languages support publishing artifacts in Maven format. I tend to use Gradle and SBT as my chosen build tools. Using the Apache Maven build tool to publish is covered in another article.
There is a lot of information coming your way in this article. But don’t worry about understanding it all. A lot of the following is automated. So don’t worry if your finding it hard to understand about publishing or consuming artifacts.
I am a contributor to the Apache POI project and will use one of its artifacts as an example.
Maven artifacts have 3 naming elements:
- GroupId — org.apache.poi (based on their website)
- Artifact Name — poi
- Version — 5.1.0 (latest release)
This dashboard can be used to view this set of artifacts.
The pom is an XML file that describes the artifact and any dependencies it has on other libraries. The description includes the license and contact information, among other things.
The actual artifacts for this 5.1.0 release are at https://repo1.maven.org/maven2/org/apache/poi/poi/5.1.0/.
The URL is made up of:
- host — https://repo1.maven.org/maven2 (there are other repositories and mirrors too)
- groupId with dots replaced by slashes — org/apache/poi
- artifact name — poi
- version — 5.1.0
The artifacts are:
- poi.jar — the executable byte code
- poi-sources,jar — the source code
- poi-javadoc.jar — the javadoc
- pom — the descriptor file
Each artifact is signed by my personal GPG key. I did this with the POI 5.1.0 release. This is the ‘.asc’ file associated with each artifact. The data in the asc file is just Base64 encoded binary data. You can use GPG commands to verify that the asc file relates to the associated file. The public part of my GPG key appears here.
All the artifacts and asc files have digests. Those are the md5, sha1, sha256, and sha512 files. You can use md5sum or shasum (preferred) commands to verify that the digest files relate to the associated files and that they haven’t been tampered with since the digest was generated.
There are some details and sample commands on the POI download page (see Verify section).
Summary
I hope this quick summary has been useful. Follow me on Medium.com if you want to read the follow up articles about how to publish artifacts to Maven Central. I’ve similarly documented using Gradle to publish projects.
Feel free to comment on the article if you think I need to clarify anything.
