The easy way to maven central
or bintray maven central sync
Edit: Post was renamed from “The hard way to maven central”, because actually it’s a very easy process. Original name come after a night of doing all these steps (i was new to bintray and never publish to maven central before), so have to search a lot for answers(that’s why so many links in post).
Here is a brief reference of what should be done to get into maven central through Bintray.
In fact, if i understand correctly, bintray team philosophy is:
You don’t need maven central, jcenter is the new shiny repo for everyone.
Anyway, they provide pretty simple integration with maven central and, to be honest, getting into jcenter is very easy, so its definitely a good direction.
Create new maven repository. Now you already have your own maven repository for free. Nice? I think so (have you ever tried to build one one using github or google code ?).
You need to create new package to host your project binaries. To be honest, it’s not quite mandatory, because maven or gradle plugins can create package for you on first deploy (of course, if you not choose to upload files manually).
Alternatively, you can simply import your projects from github and bintray create packages for them automatically.
Assuming that package was successfully created and first version was uploaded and published. Now package needs to be added to jcenter group (it takes just two button clicks and few hours to accept your package). After successful addition you’ll see jcenter group in package groups.
Now think twice. Maybe its enough for you? Gradle naively support jcenter repository (jcenter()) and its not a big problem to add it to maven pom. I’m sure soon this repo will be used more and more and probably become standard.
Edit: After some time, i think publishing to maven central is really not required for most of the cases (i did it just because i was always curious to do it). Jcenter is a very good and easy alternative.
But what i like about maven central publishing is requirements: gpg signing, required artifacts and pom structure. They have a very good reasons to ask for this. I think it will be good if bintray warn you (not deny, just warn) when your package doesn't have sources or javadocs or not enough info in pom. Everyone will benefit from it.
(or what bintray can’t do for you)
What needs to be done:
- Check that your pom apples to maven central requirements.
- Generate GPG keys to sign your files.
- Sign files.
- Create sonatype jira user.
- Most likely, create issue in sonatype jira to grant you permission for your artifact group.
- Press sync button on your package version page.
Maven central requirements
The simplest step: just read requirements and update pom accordingly.
In short, pom must contain all basic info (project name, description, license, developer info, scm info, project website) and sources and javadocs must be published too (and, of course, everything should be signed).
Generate GPG keys
First of all, you will have two options:
- Manually sign jars with generated gpg keys as part of build process (in this case i assume you know how to do all this steps).
- Install generated keys to bintray and let it automatically sign uploaded jars.
I will describe the second option (but generally speaking , steps are pretty much the same).
Install GnuPG (available for all platforms). I used 2nd version.
There is a nasty bug: gpg use regional settings. So if you will not be able to read what it says, just change regional setting for a few minutes.
Answer three simple questions: full name, email and nickname(?).
The last question will be passphrase. Its up to you to leave it blank or set real phrase. From security point of view its better to set it, but if you register keys with passphrase bintray will warn you that it will have to ask you phrase all the time (not a big deal, but its your decision). As for me, i omit phrase.
To make sure it was generated:
Install public key to keyserver:
gpg2 --send-keys --keyserver keyserver.ubuntu.com $KEY_ID
Where $KEY_ID is your key identity (see it in —list-keys output)
Export public and private keys to files (you will need to put some identity at the end of both lines if you have more than one key (email, name or key id)):
gpg2 --output myPublicKey.gpg --armor --export
gpg2 --output myPrivateKey.gpg --armor --export-secret-key
Note: —armor option generates ASCII safe version for posting to bintray site (without it bintray will not accept keys).
Follow guide to install keys and attach key to repository (to let bintray sign with it all packages in repository).
Bintray will automatically sign packages if you do manual upload. Gradle (bintray) plugin can be configured to automatically sign files too.
You need to create sonatype jira account. After that go to package version page, maven central tab.
Try to sync package version. After some time you will see errors on the right. There maybe some validation complains or not signed jars complain or public key not found on keyserver, but you shouldn't see them if you follow instructions.
But if you’ll see error like this:
Last Sync Errors: Failed to promote repository: central_bundles-2324. Server response: *User ‘user’ missing ‘promote’ permission for staging profile: 7edbe315063867
Then you’ll need to request permission from sonatype. All you have to do is to register your project with jira issue.
Hint: gradle plugin can trigger maven synchronization automatically.
That’s all. Not so hard in fact when know what to do.
I hope it was helpful (at least i wish i have something like this ☺).
And thanks to Bintray for making things a bit simpler.
P.S. Maybe my toy project will help as example.