英文:

Sign with keystore then publish with maven-publish

问题

I can provide you with a translation of the code-related portion:

我想要将一个 Android 库（.aar）发布到 Maven 存储库。我成功地使用 `signing` 和 `maven-publish` Gradle 插件来实现。但签名插件似乎无法与密钥库文件一起工作，它似乎需要类似以下的配置：

```properties
signing.keyId=24875D73
signing.password=secret
signing.secretKeyRingFile=/Users/me/.gnupg/secring.gpg

而我只有一个 .keystore 文件，一个 keyAlias（看起来更像是 "key0" 而不是 PGP 密钥），然后有存储密码和密钥密码。

因此，我想不使用签名插件，而更像这样操作：

tasks.whenTaskAdded { task ->
    if (task.name == 'assembleRelease') {
        def aarPath = "${project.buildDir}/outputs/aar/XXX-release.aar"

        task.doLast {
            ant.signjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword,
                    preservelastmodified: 'true')

            ant.verifyjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword)
        }
    }
}

这在执行 ./gradlew assembleRelease 时有效（即，我可以使用 jarsigner 验证 aar 是否已签名）。但当我执行 ./gradlew publish 时，一些原因导致我的输出 aar 未签名。这让我感到困惑，因为我认为 publish 任务会运行 assembleRelease 任务，后者将运行签名。

我漏掉了什么？如何使用密钥库对 aar 进行签名并将其推送到 Maven 存储库？

<details>
<summary>英文:</summary>

I want to publish an Android library (`.aar`) to a Maven Repository. I manage to do it using the `signing` and `maven-publish` gradle plugins. But the signing plugin does not seem to work with a keystore file: it seems to take something like this:

signing.keyId=24875D73
signing.password=secret
signing.secretKeyRingFile=/Users/me/.gnupg/secring.gpg

and what I have are a `.keystore` file, a `keyAlias` (which looks more like “key0” than a PGP key), then a store password and a key password.

So instead of using the signing plugin, I thought I could do something more like this:

```kotlin
tasks.whenTaskAdded { task ->
    if (task.name == 'assembleRelease') {
        def aarPath = "${project.buildDir}/outputs/aar/XXX-release.aar"

        task.doLast {
            ant.signjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword,
                    preservelastmodified: 'true')

            ant.verifyjar(
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword)
        }
    }
}

This works when I do ./gradlew assembleRelease (i.e. I can verify with jarsigner that the aar is signed). But when I do ./gradlew publish, somehow my output aar is not signed. Which confuses me because I thought that the publish task would run the assembleRelease task, which would run the signing.

What am I missing? How can I sign my aar with a keystore and still push it to a Maven Repository?

答案1

得分: 1

if (task.name == 'assembleRelease' || task.name == 'bundleReleaseAar') {
问题在于任务顺序发生了变化。任务不会“重新运行”，但某些因素可能会导致你感兴趣的任务在不恰当的时间被应用（例如在创建构建产物之前尝试对其进行签名）。

即使使用--dry-run也不能保证显示出实际的顺序，正如我最近在G8.0.2中发现的那样。

你可以通过添加类似以下内容来调试实际的顺序，以在运行时查看实际顺序并观察它与你的期望有何不同：

tasks.assembleRelease.doLast {println{"signed"}}

和

tasks.signMavenJavaPublication.doLast {println{"signed"}}

然后以“有效”的方式运行构建和“无效”的方式运行构建，观察实际顺序，以及它与你的期望有何不同。

英文:

In your case, change to:

if (task.name == 'assembleRelease' || task.name == 'bundleReleaseAar') {

The problem is the task order is getting changed. Tasks don't "re-run", but certain influences can cause the tasks you're interested in to be applied an an inappropriate time (perhaps trying to sign the artifact before it's created).

Even --dry-run isn't guaranteed to show you the actual order, as I found out recently (in G8.0.2).

You can debug the actual order by adding things like this to see the actual order when it runs:

> tasks.assembleRelease.doLast {println{"signed"}}

and

> tasks.signMavenJavaPublication.doLast {println{"signed"}}

Then, run the build in ways that "work" and ways that "don't", and observe the actual order, and see how it differs from what you expect.