I have a local installation of Nexus OSS 3.0.0-03.
I am able to upload snapshot and release jars.
Now I want to download those jars via the browser or wget, but I can't seem to find the REST API call to do it (for example in a shell script executed by Jenkins).
Prior to version 3 it seems one could use something like:
http://MY_REPOSITORY/nexus/service/local/artifact/maven/content?r=repoId&g=groupName&a=art&v=LATEST
Any ideas on how to do this with version 3?
If it's latest you are looking for, you can see the answer here: Sonatype Nexus 3 - get latest snapshot
This as of yet does not exist in Nexus Repository 3 but is coming in the nearish future as we revamp the REST API.
However, if you want to download an artifact and know it's coordinates, you can do that via constructing a URL using the patterns here as a helpful tool: https://cwiki.apache.org/confluence/display/MAVEN/Remote+repository+layout#Remoterepositorylayout-Repositoryartifactlayout
Related
First, I know that the upcoming Nexus 3.1 will offer migration of v2 to v3.
I also just applied for the beta migration for v2 to v3 (google forms).
My timing sucks, since the next few days I am going to setup and integrate a new Nexus 3 server.
Is it possible to manually copy my old Maven artifacts (from Nexus v2 server) to this new Nexus v3 server and let Nexus v3 reindex everything?
If so, how?
It's not possible to manually copy, however Nexus Repository Manager 3.1 is now released and you can use it to Upgrade.
As well, the incredible, edible Manfred Moser created this: https://github.com/simpligility/maven-repository-tools/tree/master/maven-repository-provisioner which you can use to take something from a file system into a Maven Repository AKA Nexus Repository Manager. I haven't used it myself, but it's probably exactly what you are looking for.
For those still checking this out, you can also use this simple bash script to import artifacts into Nexus Repository 3: https://gist.github.com/DarthHater/a4f2738e3bd40d242db22633b59dfd63
I installed nexus-2.8.0-05-bundle.tar.gz and now I am trying to migrate old (single) repo from Artifactory.
How can I achieve this (Debian7)?
I read about migration plugin but I cannot seem to find the right one... I unzipped nexus-migration-plugin-packaging-1.5-webapp.zip into the nexus installation folder but it doesn't seem to work..or at least I cannot find any related actions from the web admin console localhost:8081/nexus.
Cheers,
newbie
In order to migrate to Nexus you would use the export tool of Artifactory to get the repositories as plain files and folders structure.
Then you create a repo in Nexus and simply copy that storage into place.
Further details are available in the Nexus book migration chapter.
You can also ping us via a support ticket or via the mailings lists or hipchat channel.
PS: The migration plugin is deprecated and should not be used.
I would like to provide a simple URL that will always return the latest version of a snapshot version of an artifact. By simple I mean that the URL doesn't change, or require the user to browse the directory and examine timestamps.
Please note
this answer relates to Nexus 2.X
There is a noticeable performance impact of using the restlet API to download large artifacts, see: https://community.sonatype.com/t/slow-artefacts-download-performance-with-oss-2-x/2280
The core Nexus "redirect" REST API can be used to retrieve any version of an artifact from a nominated repository:
For example:
https://repository.sonatype.org/service/local/artifact/maven/redirect?r=central-proxy&g=log4j&a=log4j&v=LATEST
The v parameter can be a value like 1.0-SNAPSHOT, in which case Maven will return the latest time-stamped snapshot held in the repository. Similiarily the special value "LATEST" should do the same provided a more recent released version is not present.
on my nexus machine all results for :
http://nexushost.domain/nexus/content/repositories/snapshots/com/company/elasticsearch-river-mongodb/1.2.3-SNAPSHOT/
are like this:
*-1.2.3-20131204.143026-1.zip
so I can't access it directly because I need to provide more details that are dynamic.
The example with "...redirect?r=central-proxy&g=log4j&a=log4j&v=LATEST" is working if I open in browser but not when I what to install it from some linux machine using:
/usr/share/elasticsearch/bin/plugin --url "http://localhost:8081/nexus/service/local/artifact/maven/redirect?r=snapshots&g=com.comapny.application&a=elasticsearch-river-mongodb&v=1.2.3-SNAPSHOT&p=zip" --install river-mongodb
So my temporary solution is using wget :
wget -O /tmp/elasticsearch-river-mongodb.zip "http://nexushost.domain/nexus/service/local/artifact/maven/redirect?r=snapshots&g=com.comapny.application&a=elasticsearch-river-mongodb&v=1.2.3-SNAPSHOT&p=zip"
then install LATEST version from local file.
If you're looking for the latest version of a snapshot, just asking for say, "1.0-SNAPSHOT" will return the latest version of that artifact's snapshot.
If you're looking for "latest version" however, the "v=LATEST" syntax will work, but keep in mind that this keyword can return the latest version of that snapshot you're looking for, or the release that just completed, or that OTHER branch of that same artifact that is a version ahead and still at "-SNAPSHOT".
If you're looking for the absolute latest then yeah, use the "v=LATEST". If you're looking for the latest release, you can also ask for "v=RELEASE". If you have a grouping of repos, you can reference both snapshot repos and release repositories by adding to the url something like:
"...v=RELEASE&r=public"
That should search across all your "grouped" repos.
Every repository has its own url (you can see it in the Repository browser). If you open it, you can browse through the group and artifact ids to your artifact. That's your url, for example like this: http://nexushost.domain/content/repositories/snapshots/com/example/group/artifact/1.2.3-SNAPSHOT/1.2.3-SNAPSHOT.jar
I was trying to find if there is SSL enabled central repository but there probably isn't. I noticed that there are signatures for every jar and pom file in maven central repository. So at least I'd like to check signatures of all maven downloaded files (pom/jar).
The example from http://repo1.maven.org/maven2/org/apache/ant/ant/1.8.2/:
ant-1.8.2.jar
ant-1.8.2.jar.asc
ant-1.8.2.jar.asc.md5
ant-1.8.2.jar.asc.sha1
ant-1.8.2.jar.md5
ant-1.8.2.jar.sha1
ant-1.8.2.pom
ant-1.8.2.pom.asc
ant-1.8.2.pom.asc.md5
ant-1.8.2.pom.asc.sha1
ant-1.8.2.pom.md5
ant-1.8.2.pom.sha1
I realize that I'll have to import public keys for every repository and I'm fine with that. I guess that public keys for maven central are here https://svn.apache.org/repos/asf/maven/project/KEYS.
There are PLENTY of tutorials on web on how to sign with maven. However I didn't find any information on how to force maven (2 or 3) to verify signatures of downloaded jar/pom files. Is it possible?
(Nexus Professional is not an option)
Thank you for help.
Now, that people seem to realize this is a real security problem (as described in this blog-post (the blog seems down, here is an archived version of the blog)), there is a plugin for verifying PGP signatures. You can verify the signatures for all dependencies of your project with the following command:
mvn org.simplify4u.plugins:pgpverify-maven-plugin:check
Of course, to be 100% sure the plugin is not malicious by itself, you would have to download and verify the source for the plugin from maven central, build it with maven, and execute it. (And this should also be done with all the dependencies and plugins that are needed for the build, recursively.)
Or you use Maven 3.2.3 or above (with a clean repository), which uses TLS for downloading all artefacts. Thus man-in-the-middle attacks are impossible and you get at least the artefacts as they are on maven central.
See also:
related Question and Answer
Sonatype's Blog to this topic
Could you write a bash shell script using GnuPG to verify each sig?
Something like:
for x in *.jar; do gpg --verify "${x}".asc; done
Obviously you would need the public keys for all the sigs before you started.
SSL access to Central is now available for a token payment. From https://blog.sonatype.com/people/2012/10/now-available-ssl-connectivity-to-central/ :
We’re making SSL connectivity to Central available to anyone that downloads open source components regardless of the repository manager.
...
In order to ensure the highest level of performance for those who count on SSL, we are securing the service with a token. You can get a token for your organization simply by providing a $10 donation that will be donated to open source causes.
Assuming you only want to download artifacts w/ valid checksums, one option would be to run the OSS version of Nexus and configure it to have a proxy of central. Then configure your settings.xml to only load from your repo (mirror tag in settings.xml). You can then configure nexus to only allow artifacts that have a valid checksum.
Now that Maven3 has dropped support for setting uniqueVersion=false on deployment, I'm running into an issue. I have Hudson do an automatic deployment of my SNAPSHOT build to my Nexus repository manager. The resulting SNAPSHOT artifact looks like blah-0.0.1-20110517.233746-1.jar. Note the unique SNAPSHOT build id. The trick is that I'd link to that jar in my site documentation, but I'm not sure how to inject that snapshot build number into the docs. Perhaps there is a way to have Maven or Hudson or Nexus create a symlink on deployment from blah-0.0.1.jar => blah-0.0.1-20110517.233746-1.jar?
Ok, mod me down, but I think I found an answer to my own question. I'm posting here in case anyone else finds it useful.
It turns out the Nexus REST api has the ability to automatically retrieve the latest SNAPSHOT build of an artifact, which is exactly the functionality I needed. For more info, see:
https://docs.sonatype.com/display/SPRTNXOSS/Nexus+FAQ#NexusFAQ-Q.HowcanIretrieveasnapshotifIdon%27tknowtheexactfilename%3F