使用 gpg:sign-and-deploy-file 部署到 Maven Central 时收到 400 Bad Request

Posted 2023-02-18

技术标签:

【中文标题】使用 gpg:sign-and-deploy-file 部署到 Maven Central 时收到 400 Bad Request【英文标题】：Getting 400 Bad Request when deploying to Maven Central with gpg:sign-and-deploy-file 【发布时间】：2020-05-02 12:12:03 【问题描述】：

我有一个 .jar 文件，我想使用 Travis 上传到 Maven Central。我公司向 Sonatype 发送了创建帐户的 Jira 票证，并且帐户已创建。

我在 Travis 脚本中上传工件的命令如下：

mvn gpg:sign-and-deploy-file \
  -DpomFile=stuff/pom.xml \
  -Dfile=_build/java/Packager.jar \
  -Durl=https://oss.sonatype.org/service/local/staging/deploy/maven2/ \
  -DrepositoryId=maven-central \
  -Dgpg.passphrase=$mvn_passphrase

命令的输出以以下错误结束：

Uploading to maven-central: https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect-sdk/18.0/connect-sdk-18.0.jar
Uploading to maven-central: https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect-sdk/18.0/connect-sdk-18.0.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  8.115 s
[INFO] Finished at: 2020-01-15T16:48:51Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign-and-deploy-file (default-cli) on project standalone-pom: Failed to deploy artifacts: Could not transfer artifact com.cloudblue:connect-sdk:jar:18.0 from/to maven-central (https://oss.sonatype.org/service/local/staging/deploy/maven2/): Transfer failed for https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect-sdk/18.0/connect-sdk-18.0.jar 400 Bad Request -> [Help 1]

这些是 ~ /.m2/settings.xml 文件的内容：

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                            http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <profiles>
        <profile>
            <id>maven-central</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
        </profile>
    </profiles>

    <activeProfiles>
        <activeProfile>maven-central</activeProfile>
    </activeProfiles>

    <servers>
        <server>
            <id>maven-central</id>
            <!-- These will be replaced by the proper env vars by the Travis script -->
            <username>__USER__</username>
            <password>__PASSWORD__</password>
        </server>
    </servers>
</settings>

这是我的 pom.xml：

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>com.cloudblue</groupId>
    <artifactId>connect-sdk</artifactId>
    <version>18.0</version>
    <packaging>jar</packaging>

    <name>$project.groupId:$project.artifactId</name>
    <description>Connect Java SDK autogenerated from Haxe sources.</description>
    <url>https://github.com/cloudblue/connect-java-sdk</url>

    <licenses>
        <license>
            <name>The Apache License, Version 2.0</name>
            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
        </license>
    </licenses>

    <developers>
        <developer>
            <name>CloudBlue</name>
            <email>connect-service-account@ingrammicro.com</email>
            <organization>CloudBlue</organization>
            <organizationUrl>https://www.cloudblue.com/</organizationUrl>
        </developer>
    </developers>

    <scm>
        <connection>scm:git:git://github.com/cloudblue/connect-java-sdk.git</connection>
        <developerConnection>scm:git:ssh://github.com:cloudblue/connect-java-sdk.git</developerConnection>
        <url>https://github.com/cloudblue/connect-java-sdk</url>
    </scm>

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven-deploy-plugin.version>3.0.0-M1</maven-deploy-plugin.version>
    </properties>

    <build>
        <plugins>
            <plugin>
                <artifactId>maven-deploy-plugin</artifactId>
                <version>$maven-deploy-plugin.version</version>
                <executions>
                    <execution>
                        <configuration>
                            <repositoryId>maven-central</repositoryId>
                            <file>connect.jar</file>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-gpg-plugin</artifactId>
                <version>$maven-gpg-plugin-version</version>
                <executions>
                    <execution>
                        <id>sign-artifacts</id>
                        <phase>verify</phase>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                    <groupId>org.sonatype.plugins</groupId>
                    <artifactId>nexus-staging-maven-plugin</artifactId>
                    <version>1.6.8</version>
                    <extensions>true</extensions>
                    <configuration>
                        <serverId>maven-central</serverId>
                        <nexusUrl>https://oss.sonatype.org/</nexusUrl>
                        <autoReleaseAfterClose>true</autoReleaseAfterClose>
                    </configuration>
            </plugin>
        </plugins>
    </build>

    <distributionManagement>
        <snapshotRepository>
            <id>maven-central</id>
            <name>Snapshot</name>
            <url>https://oss.sonatype.org/content/repositories/snapshots</url>
        </snapshotRepository>
        <repository>
            <id>maven-central</id>
            <name>Release</name>
            <url>https://oss.sonatype.org/service/local/staging/deploy/maven2/</url>
        </repository>
    </distributionManagement>
</project>

有人可以就导致 400 错误的原因提供指导吗？

编辑：我找到了其中一个问题的原因。创建 Sonatype 帐户时未将 groupId 设置为正确的值。它已被修复。现在，使用deploy:deploy-file 目标可以正确上传包，但使用gpg:sign-and-deploy-file 签名和上传文件会引发以下错误：

Uploading to connect: https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect.sdk/18.0/connect.sdk-18.0.jar
Uploaded to connect: https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect.sdk/18.0/connect.sdk-18.0.jar (374 kB at 19 kB/s)
Uploading to connect: https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect.sdk/18.0/connect.sdk-18.0.pom
Uploaded to connect: https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect.sdk/18.0/connect.sdk-18.0.pom (3.7 kB at 6.2 kB/s)
Downloading from connect: https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect.sdk/maven-metadata.xml
Downloading from connect: https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect.sdk/18.0/connect.sdk-18.0.jar.asc
[WARNING] Could not transfer metadata com.cloudblue:connect.sdk:18.0/connect.sdk-18.0.jar.asc from/to connect (https://oss.sonatype.org/service/local/staging/deploy/maven2): Transfer failed for https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect.sdk/18.0/connect.sdk-18.0.jar.asc 400 Bad Request
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  27.511 s
[INFO] Finished at: 2020-01-17T08:00:16Z
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign-and-deploy-file (default-cli) on project standalone-pom: Failed to retrieve remote metadata com.cloudblue:connect.sdk:18.0/connect.sdk-18.0.jar.asc: Could not transfer metadata com.cloudblue:connect.sdk:18.0/connect.sdk-18.0.jar.asc from/to connect (https://oss.sonatype.org/service/local/staging/deploy/maven2): Transfer failed for https://oss.sonatype.org/service/local/staging/deploy/maven2/com/cloudblue/connect.sdk/18.0/connect.sdk-18.0.jar.asc 400 Bad Request -> [Help 1]

【问题讨论】：

澄清一下，你确认_build/java/Packager.jar存在了吗？是的，并且签名正确，因为_build/java/Packager.jar.asc文件也存在。 【参考方案1】：

我很傻，在 pomFile 参数中包含了我的项目 pom.xml 的路径而不是 jar pom，这也导致了这个错误。希望能帮助我的一些同行。

【讨论】：

【参考方案2】：

对于任何有相同问题的人，我们做了以下操作：

签名并部署到本地目录：例如mvn gpg:sign-and-deploy-file -e -X -Durl="file:///tmp" 使用 curl 上传到 maven：请参阅： https://support.sonatype.com/hc/en-us/articles/213465868-Uploading-to-a-Staging-Repository-via-REST-API

【讨论】：

你能分享你用来上传文件的 curl 命令吗？我收到 400 个“缺少请求实体”。【参考方案3】：

我最终使用 REST API 来上传所有工件，并且效果非常好。 Maven 似乎在随机工作。有时它会上传签名文件，大多数时候不是。

【讨论】：

以上是关于使用 gpg:sign-and-deploy-file 部署到 Maven Central 时收到 400 Bad Request的主要内容，如果未能解决你的问题，请参考以下文章

在使用加载数据流步骤的猪中，使用（使用 PigStorage）和不使用它有啥区别？

今目标使用教程今目标任务使用篇

Qt静态编译时使用OpenSSL有三种方式（不使用，动态使用，静态使用，默认是动态使用）

MySQL db 在按日期排序时使用“使用位置；使用临时；使用文件排序”

使用“使用严格”作为“使用强”的备份

Kettle java脚本组件的使用说明(简单使用升级使用)