Skip to content

How to config GPG and sign artifact with it

Jump to bottom Edit New page
romani edited this page Oct 1, 2014 · 4 revisions

Sometimes you may need to sign your artefact with GPG (we have to sign it to upload artifact to central). Before you will be able to use GPG you should do following steps to config your system (I use Kubuntu 13.10). Source of wisdom - here.

  1. install gpg :

$sudo apt-get install gnupg

  1. Create key (!!!!Key is already generated take it from mail!!!!, creation of new does with same or different credentials does not hurt, but what a reason to make a lot of public keys ?):

$gpg --gen-key

It'll ask you a few questions.

  • Algorithm - choose RSA and RSA
  • Key size - choose 2048 bit
  • Time of validity for the key, just use the default value if you don’t have any special requirements.
  • Name and email (I used sevntu checkstyle and [email protected])
  • Comment - may be empty
  • Passphrase (enter and remember)

After that it asks you for doing random things (move your mouse and press any keys). It needs some random action for create some entropy.

  1. List your key:

$gpg --list-keys

Output of this command should be similar to:

$gpg --list-key
/home/rivanov/.gnupg/pubring.gpg
-------------------------------
pub   2048R/0716182A 2014-09-30
uid                  sevntu checkstyle <[email protected]>
sub   2048R/2A29D8CE 2014-09-30
  1. Now you can upload your key to keyserver

$ gpg --keyserver hkp://pool.sks-keyservers.net --send-keys 0716182A

Pay attention on the last argument - you have to get it from list-key output. It's short stamp of public key.

Congratulation. You've just finished with configuration. Now you can sign you artifact manually or with maven plugin.

  1. Manually:

    run for signing:

    $gpg -ab artifact.jar

    run for verifying:

    $gpg --verify artifact.jar.asc

  2. Maven plugin: add plugin to build section:

<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    ...
    <build>
        ...
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-gpg-plugin</artifactId>
                <version>1.4</version>
                <executions>
                    <execution>
                        <id>sign-artifacts</id>
                        <phase>verify</phase>
                        <goals>
                            <goal>sign</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
        </plugins>
    </build>
</project>

Now it will ask you for passphrase during the install goal. After maven will finished, you may find jar and asc files in targed directory.

Add a custom footer
Add a custom sidebar
Clone this wiki locally