Issue2814

In the build, since the pgp command is not necessarily available, and this breaks the build, we have removed the commands that use it to sign the artefacts. However, that's necessary for Sonatype to publish (or an equivalent signing process?).

We should restore the pgp steps, either making them optional or fail-soft.

Alternatively, document as a manual step.

(Corrected)

As a manual step, this is a bit awkward to do. I found I could modify the maven/build.xml *after* a build at tag 2.7.2b1, circumventing its tendency to build a snapshot.

This, added to macrodef stage, restores the gpg step:

      <!-- Generate a detached signature for each artefact in the bundle. -->
      <exec executable="gpg" dir="${build.maven}">
          <arg value="-ab"/>
          <arg value="@{artifactId}-@{version}.pom"/>
      </exec>

      <exec executable="gpg" dir="${build.maven}">
          <arg value="-ab"/>
          <arg value="@{artifactId}-@{version}.jar"/>
      </exec>

      <exec executable="gpg" dir="${build.maven}">
          <arg value="-ab"/>
          <arg value="@{artifactId}-@{version}-javadoc.jar"/>
      </exec>

      <exec executable="gpg" dir="${build.maven}">
          <arg value="-ab"/>
          <arg value="@{artifactId}-@{version}-sources.jar"/>
      </exec>

It fails if you don't have gpg at all, as the step is not really optional. I won't push that change right now though, taking other blockers to publication as part of this.

I have managed to make bundles of signed files acceptable to Sonatype.

Fixed at: https://hg.python.org/jython/rev/7028af43600e