Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update recommended configuration for GPG signing #608

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

wetneb
Copy link

@wetneb wetneb commented Mar 13, 2024

This attempts to document the new recommended configuration to sign artifacts with the maven-gpg-plugin as part of the deploy process.

It imitates this PR from the maintainer of the maven-gpg-plugin: https://github.com/xerial/sqlite-jdbc/pull/1082/files

Notes that this requires the maven-gpg-plugin version 3.2.0 or above, not sure if this is worth adding to the documentation as I expect this guide will mostly be followed by people setting up a new project (hopefully using the latest version of the plugin by default).

@cstamas I hope I got it right, feel free to suggest any improvements

Related issue:
might be related to #600?

see also https://issues.apache.org/jira/browse/MGPG-90?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=17825880

Check list:

  • Mark if documentation changes are required.
  • Mark if tests were added or updated to cover the changes.

This attempts to document the new recommended configuration to sign artifacts with the maven-gpg-plugin as part of the deploy process.

It imitates this PR from the maintainer of the maven-gpg-plugin:
https://github.com/xerial/sqlite-jdbc/pull/1082/files

Notes that this requires the maven-gpg-plugin version 3.2.0 or above, not sure if this is worth adding to the documentation as I expect this guide will mostly be followed by people setting up a new project (hopefully using the latest version of the plugin by default).

@cstamas I hope I got it right, feel free to suggest any improvements
@wetneb wetneb requested a review from a team as a code owner March 13, 2024 08:47
Copy link

@cstamas cstamas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but this would work with 3.2.0 m-gpg-p only of course.

@wetneb
Copy link
Author

wetneb commented Mar 15, 2024

With the release of the 3.2.1 version of the maven-gpg-plugin, this documentation update is less important as 3.2.1 will continue to work like the previous versions.

However, on the long term, this would likely still be a better choice than the current set up, as it removes the dependency on an external GPG agent. Arguably setup-java shouldn't have anything to do with setting up a GPG environment as it's unrelated to Java.

One downside of this method is the additional -Dgpg.signer=bc that needs to be added to mvn package. Perhaps that's something that could be removed in the future, if the maven-gpg-plugin is able to detect by itself that it is running in an environment where GPG hasn't been set up at all.

@cstamas
Copy link

cstamas commented Mar 18, 2024

Note: 3.2.1 is out, that restores "old way" working.

Still, I'd emphasize that with 3.2.x plugins, the "preferred" way of signing on CI like environments is using BC and passing secrets (key and passphrase) as environment variables. No more hoops and loops, like installing key into GnuPG and getting passphrase via crafted settings.xml should be needed. Ideally, no secret should get onto any disk/persistent storage.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants