How to auto deploy your MAVEN project to Sonatype Nexus Repository with GPG signature

This guide describes how can you sign and deploy your Maven project to the Sonatype Nexus Repository.



Generate PGP key

  1. Open command line and run command
    gpg --gen-key
  2. Program shows you several options. Select option “(1) RSA and RSA (default)”
  3. On question “What keysize do you want? (2048)” press ENTER key
  4. On question “Please specify how long the key should be valid.” select option “0 = key does not expire”
  5. On question “Key does not expire at all. Is this correct? (y/N)” answer “Y”
  6. Enter your “Real name:”
  7. Enter your “Email address:”
  8. Enter “Comment:” (this step is optional)
  9. Approve your entries by entry “O” like “OK”
  10. “Enter passphrase:” to protect your key
  11. When you see message “We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.”
    Do some other work to collect more entropy.
  12. When you finish, check generated certificate by commands
    gpg2 --fingerprint your@email.adr
    pub rsa2048/60A37611 2016-07-16 [SC]
     Key fingerprint = 1AE6 F02C 9F2A 7857 258E D154 7B1F 845A 511F 9852
    uid [ultimate] John Dove <>
    sub rsa2048/D5BEA871 2016-07-16 [E]
  13. We ahve to send your key to key server by command
    gpg2 --keyserver --send-keys 60A37611
    gpg: sending key 60A37611 to hkp://



Modify you settings.xml file

You have to first put your sonatype credentials to your settings.xml file which is located in {home}/.m2 folder. e.g: /home/jdove/.m2/settings.xml
Put lines below to the file and modify “sonatype-username” and “sonatype-password” to you credentials which you use on Sonatype JIRA portal.

      <!-- Sonatype Nexus Repository -->


Modify you pom.xml file

Add these lines to your project pom.xml file





Compile, sign and deploy

Go to your project root folder (where is located pom.xml) and run command.

mvn verify gpg:sign install:install deploy:deploy


Compile without sign and deploy

If you don’t want sign and deploy your build you can use command.

mvn install -DskipTests -Dgpg.skip


Travis CI

Travis CI doesn’t have your PGP key and build will failed on signature. If you add line bellow to your .travis.yml file in project, Travis CI will skip signature and deploy steps, you have to deploy your project manually as mentioned above.

install: mvn install -DskipTests -Dgpg.skip


Moving to release

  1. Now you can login to your Sonatype Nexus Repository (
  2. In list of repositories found your repository, select it by checkbox and click close button in a toolbar
  3. If all checks pass, you can select your repository again and click release button in the toolbar
  4. Your project should be uploaded in the central repository now



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.