DEV Community

Vladislav Kochetov
Vladislav Kochetov

Posted on • Edited on

How to set up publication signature with the Gradle plugin

Introduction:

In the realm of software development, ensuring the security and integrity of your artifacts is of paramount importance. One effective approach is to sign your artifacts using GPG (GNU Privacy Guard) keys. This article will guide you through the process of setting up GPG, generating keys, and utilizing The Signing Plugin to sign artifacts before publishing them to Nexus.

1. Installing GPG:

To begin, let's install GPG on our system. Follow the instructions below:

Linux:
- Open a terminal window.
- Execute the command: sudo apt-get install gnupg

macOS:
- Open a terminal window.
- Run the command: brew install gnupg

Windows:
- Download the Gpg4win installer from the Gpg4win website.
- Run the installer and follow the on-screen instructions.

2. Generating GPG Keys:

Once GPG is installed, let's generate GPG keys. These keys will be used to sign your artifacts. Follow these steps:

  • Open a terminal or command prompt.
  • Execute the command: gpg --full-generate-key
  • Follow the interactive prompts to configure your key, such as selecting the key type and size.
  • Set a strong passphrase for your key. Remember this passphrase as you will need it later.
  • Once the key generation is complete, your GPG key pair will be stored in the GPG keyring.

3. Configuring The Signing Plugin:

  • Open the build.gradle file of your project.
  • Add the following lines to the top of the file:
   plugins {
       id 'signing'
   }
Enter fullscreen mode Exit fullscreen mode
  • Configure the signing plugin for root project:
   signing {
       sign publishing.publications
   }
Enter fullscreen mode Exit fullscreen mode
  • Provide the GPG key details in gradle.properties:
signing.keyId=YOUR_KEY_ID
signing.secretKeyRingFile=~/.gnupg/secring.gpg
signing.password=YOUR_PASSPHRASE
Enter fullscreen mode Exit fullscreen mode

Note:

  • To get the keyId, you can run the following command gpg --list-keys --keyid-format short and take the 8-digit value
  • The secring.gpg file has been removed in GPG 2.1. However, GPG still can create such a file: gpg --export-secret-keys -o secring.gpg
  • To upload your public key to the keyserver, you can use the following command gpg --keyserver hkp://keyserver.ubuntu.com --send-keys YOUR_KEY_ID

4. Publish with signing:

./gradlew publishToMavenLocal
./gradlew publish

Top comments (0)