Skip to content

How to config GPG and sign artifact with it

Jump to bottom Edit New page
Roman Ivanov edited this page Jun 24, 2014 · 4 revisions

Sometimes you may need to sign your artefact with GPG (we have to sign it to upload artifact to central). Before you will be able to use GPG you should do following steps to config your system (I use Kubuntu 13.10). Source of wisdom - here.

  1. install gpg :

$sudo apt-get install gnupg

  1. Create key:

$gpg --gen-key

It'll ask you a few questions.

  • Algorithm - choose RSA and RSA
  • Key size - choose 2048 bit
  • Time of validity for the key, just use the default value if you don’t have any special requirements.
  • Name and email (I used sevntu checkstyle and [email protected])
  • Comment - may be empty
  • Passphrase (enter and remember)

After that it asks you for doing random things (move your mouse and press any keys). It needs some random action for create some entropy.

  1. List your key:

$gpg --list-keys

Output of this command should be similar to:

$gpg --list-key
/home/sabaka/.gnupg/pubring.gpg
-------------------------------
pub   2048R/09CB6FEF 2014-03-30
uid                  Sevntu Checkstyle <[email protected]>
sub   2048R/56400CF6 2014-03-30
  1. Now you can upload your key to keyserver

$ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys 09CB6FEF

Pay attention on the last argument - you have to get it from list-key output. It's short stamp of public key.

Congradulate. You've just finished with configuration. Now you can sign you artifact manually or with maven plugin.

  1. Manually:

    run for signing:

    $gpg -ab artifact.jar

    run for verifying:

    $gpg --verify artifact.jar.asc

  2. Maven plugin: add plugin to build section:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    ...
    <build>
        ...
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-gpg-plugin</artifactId>
                <version>1.4</version>
                <executions>
                    <execution>
                        <id>sign-artifacts</id>
                        <phase>verify</phase>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

Now it will ask you for passphrase during the install goal. After maven will finished, you may find jar and asc files in targed directory.

Add a custom footer
Add a custom sidebar
Clone this wiki locally