Maven Central
Maven central requires namespace verification so that publishers of artifacts have access to the domain identified with the groupID (e.g. publishing hu.bme.mit.theta.<artifactID> necessitates control of theta.mit.bme.hu). This is done by creating a TXT DNS record with a given key.
Because CNAME and TXT records cannot coexist, either use an A record for aliasing another website (e.g., ftsrg.github.io), or just set the CNAME record and create an issue like OSSRH-91574. By creating a /validation endpoint with the given key, we were successfully validated. This requires human interaction from their side, so it took around a week.
There is an official guide, albeit not complete. The basic requirements are:
- Package Javadoc and sources as well
- Generate pom.xml with developer, license and SCM data included, then sign it with a PGP key (optionally you can sign everything else as well).
- Note that the signatory information must be pushed to a public key server (e.g.,
gpg --keyserver keys.openpgp.org --send-keys <keyID>), and the associated email must presumably match your email in the Sonatype system.
- Note that the signatory information must be pushed to a public key server (e.g.,
- Include
sha1andmd5(optionally anything else, such assha256) hashes for every file.
For a working example, see maven-artifact.gradle.kts.
Note that this will only open a staging repository in the Nexus system of Sonatype. You need to either manually close and publish this repository, or rely on a semi-working gradle plugin.
The entire flow is integrated in a GH action.