Publishing existing libraries to Maven Central
A guide to publishing existing libraries artifacts on Jcenter to Maven Central
JCenter is shutting down
In case you missed it, JFrog is shutting down Bintray along with JCenter in May 2021.
Now, there are two questions that many developers are wondering:
1. Where to publish new libraries and their artifacts?
2. What happens to the existing artifacts?
Publishing to Maven Central
Marton Braun’s post explains how to set up a Sonatype account, and publish your first library:
Publishing existing libraries to Maven Central
So, we will be talking about how to publish existing Jcenter libraries to Maven Central.
Pre-requisites: Sonatype account and respective coordinate or groupId for your library.
You can create a Sonatype account by following the steps mentioned in above Marton Braun’s post.
Navigate to your existing library repository
In bintray, login and navigate to your respective library repository.
In new look, you can’t find the “Maven Central” option. You need to switch back to the Old Look.
Configure Sonatype credentials in your account
Navigate to Edit Profile from the top-right menu, then click on the Accounts option from the left menu. Now, you need to configure the Sonatype username and password. You can also user-token here from the Sonatype account (explained later).
Check for the GPG key in your account
In Edit Profile, click on the GPG signing option from the left menu. Here, you need to check for GPG keys. If you don’t already have one, then you need to create and add both private and public keys.
Why do we need to configure GPG Signing?
Artifacts published on MavenCentral have to be signed by their publishers.
Creating and exporting GPG keys (If not already configured). Here you need to create GPG keys to set them up in our profile, for which we need a private and a public key.
Also, you need to distribute the public key on the key server so that anyone can verify that the key belongs to you.
- Using command line
gpg --keyserver hkp://pool.sks-keyservers.net --send-keys <Key-ID> - Manually distributing the public key directly on the website
https://keyserver.2ndquadrant.com/
Signing the artifacts with GPG keys
After setting up the keys, you need to sign the existing artifacts. For signing the artifacts you will be using Postman to call Bintray’s rest API.
API for signing a specific version: https://api.bintray.com/gpg/:subject/:repo/:package/versions/:version
Example: https://api.bintray.com/gpg/vipulasri/maven/TicketView/versions/1.1.2
API needs a basic authentication and an X-GPG-PASSPHRASE (known while creating the GPG keys) as headers.
Basic Authentication: The API requires
- Username: the username of the bintray account.
- Password: the API key of your bintray account.
You can access the bintray API key from Edit Profile and then clicking on API Key.
Syncing artifacts to Maven Central
Now, you will be syncing the artifacts to Maven Central by navigating to Maven Central tab on the repository page.
You can override the Sonatype credentials here, in case you want to use the User token key and User token password for security.
Before clicking Sync, you can view info about previous syncs of the same artifact, on the right side of the tab: Last Synced, Last Sync Status, and Last Sync Errors.
It is recommended that you enable the “Close and release repository when done” checkbox before you sync. This ensures that after the sync process is completed, the artifact in Maven Central is closed and can no longer be modified.
Optionally, you can use the rest API to sync the versions of the specific artifacts on Maven Central
API for syncing a version: https://api.bintray.com/maven_central_sync/:subject/:repo/:package/versions/:version
Example: https://api.bintray.com/maven_central_sync/vipulasri/maven/TicketView/versions/1.0.7
Verifying artifacts on Sonatype / Nexus Repository
You can now verify the artifacts synced from JCenter on Sonatype by searching for the specific groupId or artifact’s name.
Thanks for reading, if you have any questions or comments — feel free to reach out on Twitter @vipul_asri.
