Khamutov

software engineer

© 2021. All rights reserved.

Guide to publish Scala artifact using sbt

13 July 2018

Disclaimer: this guide is actual for MacOS and GnuPG 2.1 in July 2018. In the future, something may get wrong.

Create an account on Sonatype

Follow this guide and create a JIRA account and a ticket for claiming your groupId. You should own domain for grouipId or use something like io.github.yourname. Check this guide for more information.

Configure sbt

Add plugins to project/plugins.sbt

addSbtPlugin("org.xerial.sbt" % "sbt-sonatype" % "2.3")

addSbtPlugin("com.jsuereth" % "sbt-pgp" % "1.1.1")

Add to build.sbt and write down actual information

name := "artifactName"
organization := "io.organization"
version := "1.0"

homepage := Some(url("https://github.com/awesome/project"))
scmInfo := Some(ScmInfo(url("https://github.com/awesome/project"),
                            "git@github.com:awesome/project.git"))
developers := List(Developer("name",
                             "Firstname Secondname",
                             "meemailru",
                             url("https://github.com/username")))
licenses += ("Apache-2.0", url("http://www.apache.org/licenses/LICENSE-2.0"))
publishMavenStyle := true

// Add sonatype repository settings
publishTo := Some(
  if (isSnapshot.value)
    Opts.resolver.sonatypeSnapshots
  else
    Opts.resolver.sonatypeStaging
)

Add to ~/.sbt/1.0/sonatype.sbt

credentials += Credentials("Sonatype Nexus Repository Manager",
        "oss.sonatype.org",
        "username",
        "password")

Configure gpg

You should sign an artifact with a private key. In the guide, I use GnuPG on MacOS. First of all, create public/private key pair (if you don’t have the one).

$ gpg --gen-key

list your keys

$ gpg --list-keys
/Users/khamutov/.gnupg/pubring.kbx
----------------------------------
pub   rsa2048 2018-03-05 [SC] [expires: 2020-03-04]
      16F64A138832C316EF8B2CD84399A163BBF065D1
uid           [ultimate] khamutov <some@email.com>
sub   rsa2048 2018-03-05 [E] [expires: 2020-03-04]

Long hexadecimal value is your keyid. Send key to keyservers. It can take up to 24 hours to sync the key across all keyservers.

$ gpg --keyserver hkps://hkps.pool.sks-keyservers.net --send-key 16F64A138832C316EF8B2CD84399A163BBF065D1

Configuration sbt for working with gpg is a bit tricky. Add following to ~/.sbt/1.0/sonatype.sbt

// use external gpg instead BouncyCastle
useGpg := true

// GnuPG 2.1 has no secring file, but setting pubring.kbx as secring works.
pgpSecretRing := file("~/.gnupg/pubring.kbx")

// optional passphrase for key if you don't want to typing it each time. Should be array of chars.
pgpPassphrase := Some(Array('p','a','s','s','w','o','r','d'))

Publish to sonatype staging repository

Run

sbt publishSigned

if you see error gpg: signing failed: Inappropriate ioctl for device

fix it with

$ GPG_TTY=$(tty) 
$ export GPG_TTY

Promote to central

Search your artifact on https://oss.sonatype.org/ and follow guide for releasing https://central.sonatype.org/pages/releasing-the-deployment.html

Congratulations, you are just released your first artifact.🎉

Почитать еще: