Closed bmarwell closed 4 months ago
simply try
mvn -o ...
Hey Slawomir!
That wouldn't work for my scenario. Sorry for not providing a better command. See what I am doing at the moment:
Consider the ojdbc8-production.pom (which is essentially a bom file).
GNUPGHOME="${WORKSPACE}/tmp/gnupg" \
"${WORKSPACE:?}/mvnw" \
--batch-mode \
--errors \
--no-transfer-progress \
org.apache.maven.plugins:maven-dependency-plugin:3.3.0:copy-dependencies \
"-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
"-DoutputDirectory=${driver_version_dir}" \
"-Dmdep.stripVersion=true" \
-f "${driver_version_dir}/${artifactname}-${version}.pom"
I now replaced it with a two step setup:
"${WORKSPACE:?}/mvnw" \
--batch-mode \
--errors \
--no-transfer-progress \
org.apache.maven.plugins:maven-dependency-plugin:3.3.0:go-offline \
"-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
"-DoutputDirectory=${driver_version_dir}" \
"-Dmdep.stripVersion=true" \
-f "${driver_version_dir}/${artifactname}-${version}.pom"
"${WORKSPACE:?}/mvnw" \
--batch-mode \
--errors \
--offline \
org.simplify4u.plugins:pgpverify-maven-plugin:check \
org.apache.maven.plugins:maven-dependency-plugin:3.3.0:copy-dependencies \
"-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
"-DoutputDirectory=${driver_version_dir}" \
"-Dmdep.stripVersion=true" \
-f "${driver_version_dir}/${artifactname}-${version}.pom"
Now it would fail because the pgpverirfy-plugin is not available. This is why I asked for an offline mode explicitly for this plugin.
Of course, there is a workaround. Add a third step in the middle:
"${WORKSPACE:?}/mvnw" \
--batch-mode \
--errors \
--no-transfer-progress \
org.apache.maven.plugins:maven-dependency-plugin:3.3.0:go-offline \
"-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
"-DoutputDirectory=${driver_version_dir}" \
"-Dmdep.stripVersion=true" \
-f "${driver_version_dir}/${artifactname}-${version}.pom"
# dependency:get the plugin
"${WORKSPACE:?}/mvnw" \
--batch-mode \
--errors \
--no-transfer-progress \
org.apache.maven.plugins:maven-dependency-plugin:3.3.0:get \
"-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
"-Dartifact=org.simplify4u.plugins:pgpverify-maven-plugin:1.16.0" \
-f "${driver_version_dir}/${artifactname}-${version}.pom"
"${WORKSPACE:?}/mvnw" \
--batch-mode \
--errors \
--offline \
org.simplify4u.plugins:pgpverify-maven-plugin:check \
org.apache.maven.plugins:maven-dependency-plugin:3.3.0:copy-dependencies \
"-Dmaven.repo.local=${WORKSPACE}/tmp/maven_repo" \
"-DoutputDirectory=${driver_version_dir}" \
"-Dmdep.stripVersion=true" \
-f "${driver_version_dir}/${artifactname}-${version}.pom"
If that really is the intended solution, this three-step setup should be documented. That's not something an average maven user can do, I'd say.
// Edit: that doesn't even work as intended:
[INFO] Resolved 20 signature(s) in PT0.007559881S
[WARNING] No signature for com.oracle.database.jdbc:ojdbc8:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.nls:orai18n:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:ons:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xmlparserv2:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.jdbc:ucp:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:simplefan:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.security:oraclepki:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_cert:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_core:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:simplefan:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.jdbc:ucp:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.ha:ons:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.security:oraclepki:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_core:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xdb:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.security:osdt_cert:pom:19.7.0.0
[WARNING] No signature for com.oracle.database.nls:orai18n:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xdb:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.xml:xmlparserv2:jar:19.7.0.0
[WARNING] No signature for com.oracle.database.jdbc:ojdbc8:pom:19.7.0.0
[INFO] Finished 20 artifact(s) validation in PT0.01117527S
I think the plugin does not pick up GNUPGHOME.
So, adding * = any
of course helps. But I have to pre-fill the cache directory now as well.
It seems undocumented, but here is the layout:
.m2/repository/pgpkeys-cache/<0..*2h>/<2..*4h>/${shorthex^^}.asc
.
My current keys are exported using 0xlong.asc
.
So prefilling that directory requires additional scripting.
This will make a nice blog post, but is quite a way to set up. Maybe you could reconsider my request to use a gpg keyring? :)
There is goal: org.simplify4u.plugins:pgpverify-maven-plugin:go-offline
- should be used together with dependency-plugin:go-offline
I think the plugin does not pick up GNUPGHOME.
Right - plugin use bcpg library not gpg executable
It seems undocumented, but here is the layout:
.m2/repository/pgpkeys-cache/<0..2h>/<2..4h>/${shorthex^^}.asc.
It is depends on information in artifacts signatures, sometime we have only long key and in other case we have full key - fingerprint So path can have long key or fingerprint.
OK, so again.
While running go-offline, the following thing happens (all of them are problems to me)
So, why does it not find a specific key? I use the same algorithm to place all the keys.
OK, maybe in clear terms:
maybe it a little help you #546
maybe it a little help you #546
No, not at all too late! This is a super helpful feature whenever there will be new keys being used for e.g. DB driver jars
Is your feature request related to a problem? Please describe.
Not a problem, except network connections and proxies. :) When all keys are already present (e.g. .asc files or imported into the local keyring), there is no need to download keys. BUT I cannot specify the keyring file as of now.
Describe the solution you'd like
-Dverify.offline=true -Dverify.gpghomedir=$PWD
or similar.Describe alternatives you've considered
Additional context
n/a