We should probably discuss about this: <https://gi...
# chuckerg
gammax
03/21/2020, 6:27 PMWe should probably discuss about this: https://github.com/ChuckerTeam/chucker/issues/56
gammax
03/21/2020, 6:28 PMHistorically Chucker was distributed via JCenter. We moved to JitPack as it was easier to do a release and there is no need to handle a GPG Key.
Seems like a lot of users are asking to have distribution via MavenCentral. Thoughts?
k
koral
03/21/2020, 10:14 PMGPG key setup (and other configuration) can be done only once
I’m using shipkit in my recent projects: https://github.com/mockito/shipkit
v
Vova Buberenko
03/22/2020, 11:06 PMYes, it is time to seriously consider distribution via Maven Central.
Nice toolkit. Thanks for sharing, Karol.
g
gammax
03/22/2020, 11:19 PMGPG key setup (and other configuration) can be done only onceMy point was more that there is a private key to share between developers and so. I know that MavenCentral is not really strict on GPG signing, so that shouldn’t be a major deal. On the other hand, Gradle introduced signature validation since 6.2 so we should probably be sure we know where the key/passphrase is and who can access it.
gammax
03/22/2020, 11:21 PMAs for the tool you suggested @koral that looks really interesting 🧐 This could potentially replace JitPack (other than the branch publishing I think?)
k
koral
03/23/2020, 1:00 AMIn case of shipkit (or perhaps any other solution basing on synchronization from jcenter to maven central) a GPG key may exist on bintray. Eg. uploaded once by admin/owner, no need to share it.
s
sloydev
03/23/2020, 7:28 AMHi! I'm Rafa Sloy, the one who recently commented on this issue. Let me know if there's anything I can help with 🙂
👋 1
g
gammax
03/24/2020, 12:27 AMEg. uploaded once by admin/owner, no need to share it.That’s actually the point that raises more concern for me. Like I create a key and I upload it on Bintray. What happens if, in a near future, we want to publish directly to Sonatype and we need to sign locally the artifacts?
k
koral
03/25/2020, 1:38 PMAFAIK maven central only validates if gpg public key is uploaded to key server
g
gammax
03/25/2020, 3:21 PMMy point is about having to manually sign an artifact. Maven Central requires that uploaded artifacts are signed. If you don’t have access to the GPG key you can’t sign them.
k
koral
03/25/2020, 3:26 PMcorrect, but you can generate a new key if you lose previous one
g
gammax
03/25/2020, 3:27 PMExactly. That would break GPG Key validation on the Gradle side (is basically the whole point behind GPG)
k
koral
03/25/2020, 7:28 PMAFAIK if key is uploaded to keyserver before publishing to maven central it should pass the validation
g
gammax
03/25/2020, 7:29 PMI’m talking about validation on Gradle side: https://docs.gradle.org/current/userguide/dependency_verification.html
k
koral
03/25/2020, 7:33 PMah ok, now it’s clear
g
gammax
05/22/2020, 9:46 AMAnd this is happening 👍 https://kotlinlang.slack.com/archives/CRWD6370R/p1590140747042400
s
sloydev
05/22/2020, 9:46 AMWoa! That's great news! 😄 🙌
5 Views