Search code examples

Sign with keystore then publish with maven-publish

I want to publish an Android library (.aar) to a Maven Repository. I manage to do it using the signing and maven-publish gradle plugins. But the signing plugin does not seem to work with a keystore file: it seems to take something like this:


and what I have are a .keystore file, a keyAlias (which looks more like “key0” than a PGP key), then a store password and a key password.

So instead of using the signing plugin, I thought I could do something more like this:

tasks.whenTaskAdded { task ->
    if ( == 'assembleRelease') {
        def aarPath = "${project.buildDir}/outputs/aar/XXX-release.aar"

        task.doLast {
                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword,
                    preservelastmodified: 'true')

                    alias: android.signingConfigs.release.keyAlias,
                    jar: aarPath,
                    keystore: android.signingConfigs.release.storeFile,
                    storepass: android.signingConfigs.release.storePassword,
                    keypass: android.signingConfigs.release.keyPassword)

This works when I do ./gradlew assembleRelease (i.e. I can verify with jarsigner that the aar is signed). But when I do ./gradlew publish, somehow my output aar is not signed. Which confuses me because I thought that the publish task would run the assembleRelease task, which would run the signing.

What am I missing? How can I sign my aar with a keystore and still push it to a Maven Repository?


  • In your case, change to:

    if ( == 'assembleRelease' || == 'bundleReleaseAar') {

    The problem is the task order is getting changed. Tasks don't "re-run", but certain influences can cause the tasks you're interested in to be applied an an inappropriate time (perhaps trying to sign the artifact before it's created).

    Even --dry-run isn't guaranteed to show you the actual order, as I found out recently (in G8.0.2).

    You can debug the actual order by adding things like this to see the actual order when it runs:

    tasks.assembleRelease.doLast {println{"signed"}}


    tasks.signMavenJavaPublication.doLast {println{"signed"}}

    Then, run the build in ways that "work" and ways that "don't", and observe the actual order, and see how it differs from what you expect.