A while ago I started having a problem with signature verification when trying to upload to Maven Central.
After three months of intense debugging and a rather long conversation with Sonatype, it turned out that the issue was actually with the signing key.
At the start of 2018, I'd switched to ed25519
signing keys. It turned out that the version of Nexus
running on Maven Central didn't support ed25519
. To work around this, I
created a new RSA key
solely intended for signing Maven packages. Bizarrely, this key didn't work
either. Nobody could work out why the signatures were failing, and the
problem was escalated twice to Sonatype's internal support people.
It turned out that the problem was an ed25519
signature on the new
RSA key!
The moral of the story: If you want to deploy to Maven Central, use only RSA keys and make sure that the signatures on those RSA keys only come from other RSA keys. If you fail to do this, you won't get an actionable error message when you try to deploy packages, you'll just get a "Signature verification failed" message. Sonatype are updating their documentation to ensure that nobody else has to lose time to this.
Thanks to Joel Orlina for being patient during those three months and for handling the support teams.