We use a 2 step process, to reduce costs to Apache for signing release candidates which subsequently fail.
After the release vote passes, feature and plugin Jar files (but not the pack.gz files) are manually uploaded and signed,
and then a subsequent maven task is run to rebuild just the site packaging artifacts using the signed Jars.
The first step is to do a normal build of the update site, using mvn release:prepare.
This produces the artifacts for voting on, without jar-signing the
new Jars, and writes the "tag" for this into SVN for record keeping.
After the vote passes
the release manager, using their special credentials, logs onto the signing portal. This process
requires a one-time code, which the portal will send to you. (Note: I had to refresh my web browser in order to
get the screen showing that option). Once signed, in, make a signing set
consisting of all of the Jars in target/eus-work/plugins and feature jars (feature jars must also be signed)
(not the *.pack.gz files, nor the ..content nor ..artifact metadata Jars). Test sign these and download them.
For safety, the build process makes a copy of the target/eus-work/plugins directory.
Update the .jar files in that directory
with the signed ones, overlaying the unsigned ones.
Then rebuild the update site by running
This does the remaining steps,
including packing (regenerating the .pack.gz files in the /plugins) and adding the various
signatures and checksums to these. These are then re-published, merging with any previous contents of the update site.
Messages about "Artifact repository out of sync. Overwriting xxxx" are to be expected.
Please try installing the result to confirm nothing went wrong in this re-build process.
If all is well, repeat the above process starting with selection "production" signing for the jars, downloading
those jars, replacing them into the eus-work directory, and re-running the mvn antrun:run@make-subsite-after-signing.