You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This guide aims to help release managers to set up a release-compliant local environment.

The content is partially taken from the Apache PLC4X project: https://plc4x.apache.org/developers/release/release.html


Updating KEYS file


https://infra.apache.org/release-signing


Preparing the system for being able to release

(taken from Apache PLC4X: https://plc4x.apache.org/developers/release/release.html)

As part of the release process, Maven will upload maven release artifacts to a so-called staging repository.

This can be thought of as an ad-hoc Maven repository that contains only the artifacts for one release. This helps reviewers to see what’s in the convenience maven package and to release that to the public repos with one click.

But in order to be allowed to upload artifacts, your account has to be enabled for this and you have to tell Maven about your credentials.

In order to do this, you should provide these credentials via .m2/settings.xml.

So if you don’t already have one, you should create a .m2 directory in your user home and inside that create a settings.xml file with at least this content:

<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.1.0"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <servers>
    <!-- Apache Repo Settings -->
    <server>
        <id>apache.snapshots.https</id>
        <username>{user-id}</username>
        <password>{user-pass}</password>
    </server>
    <server>
        <id>apache.releases.https</id>
        <username>{user-id}</username>
        <password>{user-pass}</password>
    </server>
  </servers>
</settings>

This tells maven to use above credentials as soon as a repository with the id apache.snapshots.https or apache.releases.https is being used. For a release all you need is the releases repo, but it is good to have the other in place as it enables you to also deploy SNAPSHOTs from your system. There repos are defined in the apache parent pom and is identical for all Apache projects.

Additionally all artifacts are automatically signed by the release build. In order to be able to do this you need to setup GPG.

The key being used to sign the artifacts will have to be linked to your Apache E-Mail ({apache-id}@apache.org) and verified by at least one fellow Apache committer (Ideally more) that have trusted keys themselves. Usually for this you have to get in touch - in real life - with any Apache committer with a trusted key. Attending an ApacheCon is usually a great way to do this as usually every ApacheCon has a Key Signing event in it’s schedule. He can then sign your key and hereby enable you to sign Apache release artifacts.

There’s a detailed description here.

If you happen to have multiple keys, adding the following profile to your settings.xml should help:

<profile>
  <id>apache-release</id>
  <properties>
    <gpg.keyname>5C60D6B9</gpg.keyname><!-- Your GPG Keyname here -->
    <!-- Use an agent: Prevents being asked for the password during the build -->
    <gpg.useagent>true</gpg.useagent>
    <gpg.passphrase>topsecret-password</gpg.passphrase>
  </properties>
</profile>
  • No labels