To publish Pivot jars in the main Apache Maven Repository, some files must be added inside jars (under a META-INF directory), the full discussion thread on our mailing list here:
Our build file should be modified, to include this.
And maybe renewing our self-signing certificate could be useful, too.
ASF projects can get their artifacts published in the central Maven repository (eg http://repo2.maven.org/maven2/) by copying them to http://people.apache.org/repo/m2-ibiblio-rsync-repository/ which automatically syncs with the central repo.
To do that on people.apache.org copy them to /x1/www/people.apache.org/repo/m2-ibiblio-rsync-repository.
All committers should have access to do that, via ssh.
Each artifact MUST have been voted on by a PMC and comply with all the release requirements like having LICENSE, NOTICE, DISCLAIMER files, be signed, and indicate they're incubating artifacts in the name eg by including the "-incubating" suffix in the artifact name. A common way of getting that vote done is by including the artifacts to be published in a staging area which is pointed to in the release VOTE.
Signed in Apache jargong only means ".asc" files. Those are so called detached PGP signatures, and from that it is possible to verify authenticity of artifacts published.
See http://www.apache.org/info/verification.html for more info, and perhaps you are interested in http://www.apache.org/dev/release-signing.html as well in case you end up cutting the releases. Once the troubled server (Minotaur?) is back up and working properly again, you will also find interesting data at http://www.apache.org/~henkp/trust/apache.html (or there about).
Maven wants the POMs to be present, but succeeds even without them.
Maven also have deployment tools, so once the release is properly cut, the publishing to Maven central will go via a "mvn deploy:deploy-file" which if it is not given a POM will create a skeletal one, which I think for our usage is good enough (we don't