https://kotlinlang.org logo
#chucker
Title
# chucker
g

gammax

03/21/2020, 6:27 PM
We should probably discuss about this: https://github.com/ChuckerTeam/chucker/issues/56
Historically Chucker was distributed via JCenter. We moved to JitPack as it was easier to do a release and there is no need to handle a GPG Key. Seems like a lot of users are asking to have distribution via MavenCentral. Thoughts?
k

koral

03/21/2020, 10:14 PM
GPG key setup (and other configuration) can be done only once I’m using shipkit in my recent projects: https://github.com/mockito/shipkit
v

Vova Buberenko

03/22/2020, 11:06 PM
Yes, it is time to seriously consider distribution via Maven Central. Nice toolkit. Thanks for sharing, Karol.
g

gammax

03/22/2020, 11:19 PM
GPG key setup (and other configuration) can be done only once
My point was more that there is a private key to share between developers and so. I know that MavenCentral is not really strict on GPG signing, so that shouldn’t be a major deal. On the other hand, Gradle introduced signature validation since 6.2 so we should probably be sure we know where the key/passphrase is and who can access it.
As for the tool you suggested @koral that looks really interesting 🧐 This could potentially replace JitPack (other than the branch publishing I think?)
k

koral

03/23/2020, 1:00 AM
In case of shipkit (or perhaps any other solution basing on synchronization from jcenter to maven central) a GPG key may exist on bintray. Eg. uploaded once by admin/owner, no need to share it.
s

sloydev

03/23/2020, 7:28 AM
Hi! I'm Rafa Sloy, the one who recently commented on this issue. Let me know if there's anything I can help with 🙂
👋 1
g

gammax

03/24/2020, 12:27 AM
Eg. uploaded once by admin/owner, no need to share it.
That’s actually the point that raises more concern for me. Like I create a key and I upload it on Bintray. What happens if, in a near future, we want to publish directly to Sonatype and we need to sign locally the artifacts?
k

koral

03/25/2020, 1:38 PM
AFAIK maven central only validates if gpg public key is uploaded to key server
g

gammax

03/25/2020, 3:21 PM
My point is about having to manually sign an artifact. Maven Central requires that uploaded artifacts are signed. If you don’t have access to the GPG key you can’t sign them.
k

koral

03/25/2020, 3:26 PM
correct, but you can generate a new key if you lose previous one
g

gammax

03/25/2020, 3:27 PM
Exactly. That would break GPG Key validation on the Gradle side (is basically the whole point behind GPG)
k

koral

03/25/2020, 7:28 PM
AFAIK if key is uploaded to keyserver before publishing to maven central it should pass the validation
g

gammax

03/25/2020, 7:29 PM
I’m talking about validation on Gradle side: https://docs.gradle.org/current/userguide/dependency_verification.html
k

koral

03/25/2020, 7:33 PM
ah ok, now it’s clear
g

gammax

05/22/2020, 9:46 AM
s

sloydev

05/22/2020, 9:46 AM
Woa! That's great news! 😄 🙌
5 Views