Uploading 3rd-party Artifacts to The Central Repository

Skip to end of metadata
Go to start of metadata
Note
This guide is for 3rd party projects which they don't want to upload their artifacts into The Central Repository. If you want to deploy your own project to The Central Repository, please use Sonatype OSS Maven Repository Usage Guide. We will check the POM of each bundle. If we find it's the project member deploying it, the bundle will be refused and dropped.

While most projects understand the importance of publishing artifacts to Central, there are still a few projects out there that don't have the same appreciation. When a project refuses to upload artifacts to Central, for whatever reason, as long as the license permits, we encourage people to submit artifact bundles to Central themselves.

Sonatype is replacing this process with a self-serve approach. If you want to get a specific library into the Central repository, all you need to do is sign up for an account on https://issues.sonatype.org/, create an artifact bundle, and upload it to the staging repository. Sonatype will perform some due diligence to make sure that the artifact has a license compatible with unrestricted distribution, and we will then promote the uploaded artifacts to the Central Maven repository.

Sign Up

To be able to log in https://oss.sonatype.org/, you need to have a Sonatype JIRA account. If you don't have one, go to https://issues.sonatype.org/ and do sign up.

Bundle Format

If the project's artifactId is foo and version is 1.0, the bundle.jar should contain the following files:

foo-1.0.pom
foo-1.0.pom.asc
foo-1.0.jar
foo-1.0.jar.asc
foo-1.0-sources.jar
foo-1.0-sources.jar.asc
foo-1.0-javadoc.jar
foo-1.0-javadoc.jar.asc

All bundles should contain a Maven POM file, a main jar file, java sources, and java doc files. All the files must be PGP signed before being built into the bundle.

About PGP Signature
The signature must be detached and of ascii armored format, so you will want to run command: $ gpg -ab foo-1.0.jar.
New to PGP? No worry, you can get all you need from How To Generate PGP Signatures With Maven.

As long as your bundle has a correct format and the POM meets the Central Sync Requirements, you can upload it.

Creating an Artifact Bundle

If you are working with a project that already has a Maven POM, you will need to make sure that the project meets the Central Sync Requirements.

If you are working with a project which does not have a Maven POM, you will need to craft a simple POM with the appropriate identifiers and configuration. When selecting the groupId, make sure to stay consistent with the original author of the library. For example, if you are uploading an artifact that will contain the "com.example.couchdb" package, you will likely want to choose a groupId of "com.example" and an artifactId of "couchdb". This is mostly up to you, as the person taking the initiative to upload the artifact, but we do want to make sure that the groupId you choose is reasonable. If previous versions of this artifact already exist in Central, be sure to use coordinates consistent with those older versions. For more information on how to choose the coordinates, please read Choosing your Coordinates.

Before building the bundle, you should configure your new build to sign artifacts with a PGP key. If you don’t have a PGP key to sign a release artifact, you’ll need to create one. For more information about PGP, please refer to How To Generate PGP Signatures With Maven.

Once you have all the files ready, run:

$ jar -cvf bundle.jar foo-1.0.pom foo-1.0.pom.asc foo-1.0.jar foo-1.0.jar.asc foo-1.0-sources.jar foo-1.0-sources.jar.asc foo-1.0-javadoc.jar foo-1.0-javadoc.jar.asc

Now you should have a bundle file. The next step is to upload it.

Uploading an Artifact Bundle to the OSS Nexus Instance

Log into the Nexus OSS instance at https://oss.sonatype.org, and click on the Staging Upload link in the Nexus menu. (Note the Nexus menu is on the left-hand side of the screen.) Once you select Staging Upload, you will see the Staging Upload panel shown in the following figure. Select "Artifact Bundle" from the Upload Mode dropdown. Then, click on Select Bundle to Upload... and select the bundle you generated in the previous section.

After you have selected your newly generated bundle, click on "Upload Bundle". If the bundle was successfully upload you should see the following dialog:

You will also receive an email letting you know that the bundle has been successfully uploaded, what artifacts were contained in the bundle, and that the temporary staging repository associated with this bundle has been automatically closed.

At this point, you can log into Nexus and click on the Staging link to see your temporary staging repository.

What does a failed bundle upload look like?

There are a number of reasons a bundle upload might fail. If the artifacts are not properly signed with a PGP key, or if they are signed but the key is not available from the pgp.mit.edu server, the bundle upload will fail. If the bundle's POM does not contain required elements like license, name, description, developers, or SCM information, the bundle upload will fail. If a bundle upload fails, Nexus will present you with a dialog telling you exactly why the upload failed.

In the previous dialog, you can see that the couchdb4j-0.3.0-tobrien-1.pom lacks Developer information and that some of the artifacts in the bundle were either unsigned or signed by a PGP key which was not available from pgp.mit.edu or pool.sks-keyservers.net. To address these failures, you simply have to go back to your project, add the appropriate POM information and publish your public signing key with either of these keyservers. In addition to the failure dialog, you will also get an email telling you that the staging upload failed.

My Bundle is Uploaded. What Next?

Once you've uploaded your bundle, Nexus sends a message to Sonatype's Nexus administrators. We will then perform a few checks on the artifact. We will check to see if the artifact is already published on Central. We may also send you a few questions to make sure that you have tried to contact the original project to get them to publish the artifacts, but we will respond within a business day to your bundle upload. If the bundle upload is promoted you will receive an email confirming the promotion. If the bundle upload is dropped, you will also receive an email from Nexus that tells you why the bundle was dropped.

Sonatype is still convinced that artifacts are best managed by the projects that create them, but, in more than a few cases, we've run into projects that refuse answer the call of the community. If you depend on a project that does not publish artifacts to Central, or if they seem to be inactive, please take advantage of the ability to upload your own artifact bundles. We're here, we're ready to help, and we'll respond in 2 business days.

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.