Home / Documentation / Deployment / Maven Central

Maven Central Integration Official

Configure your build system to consume official GeoServer artifacts, extensions, and web modules. Includes stable releases, snapshot builds, and GPG verification procedures.

Stable Release Repository

Official releases are automatically deployed to Maven Central (repo.maven.apache.org). No additional repository configuration is required in modern Maven (3.x+), but you can explicitly declare it for clarity.

pom.xml
<repositories>
  <repository>
    <id>osgeo-releases</id>
    <url>https://repo.osgeo.org/repository/release/</url>
    <snapshots><enabled>false</enabled></snapshots>
    <releases><enabled>true</enabled></releases>
  </repository>
</repositories>

Common Artifacts

CoordinateDescription
org.geoserver:geoserver-coreCore server runtime & API
org.geoserver:geoserver-webAdministration UI & webapp
org.geoserver.extension:web-Extension web modules
org.geotools:gt-mainGeotools foundation (dependency)
Version Strategy: GeoServer follows semantic versioning. Always pin to a specific version (e.g., 2.25.3) in production. Use ${geoserver.version} properties for BOM-style management.

Snapshot Builds

Development snapshots are published nightly to the OSGeo Repository. These reflect the current state of the main branch and are intended for testing, extension development, and early validation.

pom.xml
<repositories>
  <repository>
    <id>osgeo-snapshots</id>
    <url>https://repo.osgeo.org/repository/snapshots/</url>
    <snapshots><enabled>true</enabled></snapshots>
    <releases><enabled>false</enabled></releases>
  </repository>
</repositories>

Important Notes

  • Snapshots are not thread-safe for production deployments.
  • Use -U flag with Maven CLI to force update snapshots: mvn clean install -U
  • Snapshot versions follow the pattern 2.26.0-SNAPSHOT and change frequently.

GPG Signing & Verification

All artifacts deployed to Maven Central are cryptographically signed. Verify signatures before importing into production systems.

Terminal
# Download artifact and signature
wget https://repo1.maven.org/maven2/org/geoserver/geoserver-core/2.25.3/geoserver-core-2.25.3.jar
wget https://repo1.maven.org/maven2/org/geoserver/geoserver-core/2.25.3/geoserver-core-2.25.3.jar.asc

# Verify signature
gpg --verify geoserver-core-2.25.3.jar.asc geoserver-core-2.25.3.jar

Public Keys

Developer keys are distributed via standard public key servers. Fetch the key before verifying:

Terminal
gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys <KEY_ID>
Security Notice: Always verify the fingerprint against the official GeoServer release announcement. Never trust unsigned JARs in Maven Central, even if they appear in standard searches.

Dependency Management Example

Recommended dependencyManagement block for multi-module projects:

pom.xml (Parent)
<properties>
  <geoserver.version>2.25.3</geoserver.version>
  <geotools.version>32.0</geotools.version>
</properties>

<dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>org.geoserver</groupId>
      <artifactId>geoserver-core</artifactId>
      <version>${geoserver.version}</version>
      <scope>provided</scope>
    </dependency>
  </dependencies>
</dependencyManagement>

Troubleshooting