Sonatype Release requirements

As of 2019, Sonatype has strict validation requirements for all JAR projects. They include:

• Must include the JAR itself
• Must include a "*-sources.jar"
• Must include a "*-javadoc.jar"
• Must include a valid "pom.xml"
• All JARs must be signed (an ".asc" signature file must 

Download Handle Software and Create Release Files

1. Download Handle software distribution package: http://handle.net/download_hnr.html
2. Unzip the distribution package. 
   1. The main "handle-[version].jar" can be found in the "/lib" folder
   2. The "handle-[version]-sources.jar" can be created from the embedded "handle-[version]-src.zip".  Just extract that, and rename it to "handle-[version]-sources.jar"
   3. The "handle-[version]-javadoc.jar" can be created from the "/doc/apidoc" folder. Just extract that, zip it up and rename it to "handle-[version]-javadoc.jar"

3. Create a valid POM for this release. Here's the one created for v9.1.0 (with help from CNRI staff)

   <?xml version="1.0" encoding="UTF-8"?> <project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <modelVersion>4.0.0</modelVersion> <groupId>org.dspace</groupId> <artifactId>handle</artifactId> <version>9.1.0</version> <name>CNRI Handle.net software</name> <description> CNRI Handle.net Software (Permission granted for redistribution by Giridhar Manepalli at CNRI) </description> <url>http://handle.net/</url> <dependencies> <dependency> <groupId>com.google.code.gson</groupId> <artifactId>gson</artifactId> <version>2.8.2</version> <scope>compile</scope> </dependency> <dependency> <groupId>net.cnri</groupId> <artifactId>cnriutil</artifactId> <version>2.0</version> <scope>compile</scope> </dependency> <dependency> <groupId>commons-codec</groupId> <artifactId>commons-codec</artifactId> <version>1.11</version> <scope>compile</scope> </dependency> <dependency> <groupId>org.python</groupId> <artifactId>jython</artifactId> <version>2.2.1</version> <scope>compile</scope> <optional>true</optional> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcprov-jdk15on</artifactId> <version>1.59</version> <scope>compile</scope> <optional>true</optional> </dependency> <dependency> <groupId>org.bouncycastle</groupId> <artifactId>bcpkix-jdk15on</artifactId> <version>1.59</version> <scope>compile</scope> <optional>true</optional> </dependency> <dependency> <groupId>javax.servlet</groupId> <artifactId>javax.servlet-api</artifactId> <version>3.0.1</version> <scope>compile</scope> <optional>true</optional> </dependency> <dependency> <groupId>org.eclipse.jetty.aggregate</groupId> <artifactId>jetty-all</artifactId> <version>8.1.22.v20160922</version> <scope>compile</scope> <exclusions> <exclusion> <artifactId>javax.servlet</artifactId> <groupId>org.eclipse.jetty.orbit</groupId> </exclusion> </exclusions> <optional>true</optional> </dependency> <dependency> <groupId>com.sleepycat</groupId> <artifactId>je</artifactId> <version>7.5.11</version> <scope>compile</scope> <optional>true</optional> </dependency> <dependency> <groupId>org.hyperic</groupId> <artifactId>sigar</artifactId> <version>1.6.5.132-7</version> <scope>compile</scope> <optional>true</optional> </dependency> <dependency> <groupId>junit</groupId> <artifactId>junit</artifactId> <version>4.12</version> <scope>test</scope> </dependency> <dependency> <groupId>org.hamcrest</groupId> <artifactId>hamcrest-core</artifactId> <version>1.3</version> <scope>test</scope> </dependency> <dependency> <groupId>net.minidev</groupId> <artifactId>json-smart</artifactId> <version>2.3</version> <scope>test</scope> </dependency> <dependency> <groupId>com.googlecode.json-simple</groupId> <artifactId>json-simple</artifactId> <version>1.1.1</version> <scope>test</scope> </dependency> <dependency> <groupId>com.nimbusds</groupId> <artifactId>nimbus-jose-jwt</artifactId> <version>2.26.1</version> <scope>test</scope> </dependency> </dependencies> <licenses> <license> <name>Handle.Net Public License Agreement (ver.2)</name> <url>http://hdl.handle.net/20.1000/112</url> <distribution>manual</distribution> </license> </licenses> <developers> <developer> <name>CNRI</name> <email>hdladmin@cnri.reston.va.us</email> <url>http://handle.net/hnr_support.html</url> </developer> </developers> </project>

   
   

Sign each of the artifacts & Upload to Sonatype

There are two ways of doing this, as noted in the Sonatype docs here: https://central.sonatype.org/pages/manual-staging-bundle-creation-and-deployment.html

You can either use maven-gpg-plugin to sign & deploy each file.

Or, you can manually sign each, and upload them to Sonatype (via the web UI).

I chose the latter. Here's what I did:

1. Signed each artifact
   1. gpg2 -ab handle-9.1.0.pom
   2. gpg2 -ab handle-9.1.0.jar
   3. gpg2 -ab handle-9.1.0-sources.jar
   4. gpg2 -ab handle-9.1.0-javadoc.jar
2. Now, a total of 8 files exist. Each of the above, and a corresponding "*.asc" signature.

3. Bundle them into a single JAR (bundle.jar):

   jar -cvf bundle.jar handle-9.1.0.pom handle-9.1.0.pom.asc handle-9.1.0.jar handle-9.1.0.jar.asc handle-9.1.0-sources.jar handle-9.1.0-sources.jar.asc handle-9.1.0-javadoc.jar handle-9.1.0-javadoc.jar.asc

   
   

4. Login to https://oss.sonatype.org/ and upload the bundle.jar on the "Staging Upload" page
   1. Select "Artifact Bundle" upload mode
   2. Upload the "bundle.jar" you created