Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maven Central Setup #67

Open
th5 opened this issue Nov 24, 2021 · 2 comments
Open

Maven Central Setup #67

th5 opened this issue Nov 24, 2021 · 2 comments
Assignees
@th5 @hjwilli

Comments

@th5
Copy link
Contributor

th5 commented Nov 24, 2021

Hi, @hjwilli and @augustearth

Please create accounts on the Sonatype JIRA and let me know what the usernames are. Then I'll open a ticket to add them to Carnival on Maven.
https://issues.sonatype.org/secure/Signup!default.jspa

We can also create a service account. It would need to have an email associated with it.

Below are some instructions for setting up your encryption keys. You can do this now or wait until later.

  1. Install GnuPG

Install GnuPG. I mostly use it on the command line but there are also GUI frontends.
https://gnupg.org/download/index.html

On Windows, I suggest using WSL2. Something like sudo apt install gnupg
There is also a Windows distribtion.

On Mac, there is an installer. It's also available through MacPorts and Homebrew.

  1. Generate a public and private key pair

On some distributions, the gpg command is installed as gpg2. Usually it's just gpg.

Once installed, gpg --full-generate-key This will take you through some questions to generate your public and private keys. The defaults are fine. The main thing you will set are your name and email address.

You can optionally set an expiration date for the keys. This can later be changed in the future.

You can also optionally set a password for the private key. If anyone has your private key file, they can act as you. This is just password protecting the file.

Your GPG configuration will now likely exist in ~/.gnupg

  1. Upload public key to a public key server

We will now publish the public key you've create to an open server were public keys are shared. You will later be able to modify what's published if you have the private key.

gpg --list-signatures will print out the public keys you have. This may include public keys from third parties. The public key you just generated should be there. Here is the output on my computer:

$ gpg --list-signatures
/home/user3/.gnupg/pubring.kbx
------------------------------
pub   rsa2048 2019-08-23 [SC] [expired: 2021-08-22]
      AC874006BB29ECAA219B780F58DE4DA829F19184
uid           [ expired] Blue Jeans Network, Inc. <[email protected]>
sig 3        58DE4DA829F19184 2019-08-23  Blue Jeans Network, Inc. <[email protected]>

pub   rsa2048 2015-06-07 [SC]
      396060CADD8A75220BFCB369B903BF1861A7C71D
uid           [ unknown] Zoom Video Communcations, Inc. Linux Package Signing Key <[email protected]>
sig 3        B903BF1861A7C71D 2015-06-07  Zoom Video Communcations, Inc. Linux Package Signing Key <[email protected]>
sub   rsa2048 2015-06-07 [E]
sig          B903BF1861A7C71D 2015-06-07  Zoom Video Communcations, Inc. Linux Package Signing Key <[email protected]>

pub   rsa4096 2021-11-18 [SC]
      F3DC5FF017E972D00275EE1E0E58204A25EB7CBE
uid           [ultimate] Tom Hutchinson <[email protected]>
sig 3        0E58204A25EB7CBE 2021-11-18  Tom Hutchinson <[email protected]>
sub   rsa4096 2021-11-18 [E]
sig          0E58204A25EB7CBE 2021-11-18  Tom Hutchinson <[email protected]>

We want the long ID on the entry with your name. For me that's F3DC5FF017E972D00275EE1E0E58204A25EB7CBE.

You can download my public key by: gpg --keyserver keys.openpgp.org --recv-keys F3DC5FF017E972D00275EE1E0E58204A25EB7CBE

To upload your public key: gpg --keyserver keys.openpgp.org --send-keys <your key id>

For me that was: gpg --keyserver keys.openpgp.org --send-keys F3DC5FF017E972D00275EE1E0E58204A25EB7CBE

  1. Configure Carnival and push a snapshot build

I'll provide addition instructions on these steps.

The Gradle Signing plugin expects information about your keys to be passed in ```gradle.properties`` or as arguments to the gradle command. Does that work for us? I've been using gradle.properties but careful not to upload my settings to GitHub. Might not be ideal.
@hjwilli
Copy link
Collaborator

hjwilli commented Dec 1, 2021

Hi @th5, thanks for these comprehensive instructions!

The Gradle Signing plugin expects information about your keys to be passed in ```gradle.properties`` or as arguments to the gradle command. Does that work for us? I've been using gradle.properties but careful not to upload my settings to GitHub. Might not be ideal.

I agree, that's not ideal! Looks like there are a few ways to pass properties to a gradle project.

The signing plugin documentation recommends putting these credentials in the gradle.properties file in your gradle user home directory. This works well when we are building directly with gradle and avoids the issue of potential github pollution, but wouldn't be visible to docker or our CI systems.

Properties can also be passed via environmental variables, which might be a better strategy when publishing with docker or our CI systems. This would require with slight change to the docker-compose files to pass the local environment variables through to the containers, and change the gradle command to pass the env vars with -P flags. After that, all a user would need to do is have the appropriate environment variables set.

@hjwilli hjwilli mentioned this issue Jan 27, 2022
Merged
@hjwilli
Copy link
Collaborator

hjwilli commented Jan 27, 2022

Hi @th5 , I made pr #73 for these changes.

@kinow kinow mentioned this issue Jan 31, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@th5 th5

@hjwilli hjwilli

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@th5 @hjwilli