java – Maven’deploy’导致签名操作后的代码重新打包(BAD签名)

发布时间：2020-12-15 02:10:44 所属栏目：Java 来源：网络整理

导读：我想将一个工件部署到Sonatype OSS存储库. 使用以下命令部署时,签名无效. mvn clean source：jar javadoc：jar install gpg：sign deploy gpg --verify target/security-versions-1.0.1.jar.ascgpg: assuming signed data in 'target/security-versions-1.0.

我想将一个工件部署到Sonatype OSS存储库.

使用以下命令部署时,签名无效.

mvn clean source：jar javadoc：jar install gpg：sign deploy

> gpg --verify  target/security-versions-1.0.1.jar.asc
gpg: assuming signed data in 'target/security-versions-1.0.1.jar'
gpg: Signature made 10/20/15 11:45:50 Eastern Daylight Time using RSA key ID 63E38ACF
gpg: BAD signature from "Philippe Arteau <philippe.arteau@gmail.com>" [ultimate]

如果我删除部署目标,则签名是好的.

mvn clean source：jar javadoc：jar install gpg：sign

> gpg --verify  target/security-versions-1.0.1.jar.asc
gpg: assuming signed data in 'target/security-versions-1.0.1.jar'
gpg: Signature made 10/20/15 11:54:34 Eastern Daylight Time using RSA key ID 63E38ACF
gpg: Good signature from "Philippe Arteau <philippe.arteau@gmail.com>" [ultimate]

我意识到,在标志操作之后,罐子被第二次打包.
如何在不破坏签名的情况下进行部署？

有问题的操作：

[INFO] --- maven-gpg-plugin:1.5:sign (default-cli) @ security-versions ---

You need a passphrase to unlock the secret key for
user: "Philippe Arteau <philippe.arteau@gmail.com>"
4096-bit RSA key,ID 63E38ACF,created 2013-05-12

[...]

[INFO] --- maven-jar-plugin:2.4:jar (default-jar) @ security-versions ---
[INFO] Building jar: C:Codeworkspace-javamaven-security-versionstargetsecurity-versions-1.0.1.jar
[INFO]
[INFO] --- maven-plugin-plugin:3.2:addPluginArtifactMetadata (default-addPluginArtifactMetadata) @ security-versions ---
[INFO]
[INFO] --- maven-source-plugin:2.2.1:jar-no-fork (default) @ security-versions ---
[INFO] Building jar: C:Codeworkspace-javamaven-security-versionstargetsecurity-versions-1.0.1-sources.jar

由于编译和包装已经发生,因此不应该完成第二部分.

解决方法

您不应该同时运行安装和部署.否则,您将运行两次包装步骤.

我建议仅使用部署.看看这个post.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!