How can I automatically sign my plugin using GPG?

kgvelkov · April 2, 2018, 2:25pm

Hi there,

I’m looking into applying to add my plugin to the Ore plugin repository, but I read in the requirements that the JAR has to be GPG signed. Of course, I can do that manually, but I’d like to do it automatically? Is there any way to do it? I use Maven as my build system.

RandomByte · April 2, 2018, 6:44pm

I love this tool: PromptSign - Gradle plugin for automatic sign plugin configuration by @pie_flavor

kgvelkov · April 2, 2018, 6:56pm

I use Maven as my build system.

RandomByte · April 2, 2018, 8:27pm

I don’t know Maven very well. You may want to consider switching just for this tool.

Luck · April 2, 2018, 11:30pm

Just add the following to your pom.xml file

<plugins>
    <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-gpg-plugin</artifactId>
        <version>1.6</version>
        <executions>
            <execution>
                <id>sign-artifacts</id>
                <phase>verify</phase>
                <goals>
                    <goal>sign</goal>
                </goals>
            </execution>
        </executions>
    </plugin>
</plugins>

kgvelkov · April 3, 2018, 8:08am

@Luck I added that, but I get this error:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts): Unable to execute gpg command: Error while executing process. Cannot run program "gpg.exe": CreateProcess error=2, The system cannot find the file specified -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

Luck · April 3, 2018, 6:59pm

Uhh, you need to install GPG on your system.

https://gpg4win.org/download.html

kgvelkov · April 3, 2018, 7:03pm

I installed it, and now it finds gpg.exe, but now there’s a different error

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts) on project: Exit code: 2 -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

pie_flavor · April 3, 2018, 11:27pm

Did you configure your keys, and use gpg.passphrase in the build arguments?

kgvelkov · April 4, 2018, 10:10am

I’m already using my GPG key in GitHub to sign my commits, so it should be set up.
I’m executing clean verify -Dgpg.passphrase=mypassword, but it still gives the same error

pie_flavor · April 4, 2018, 11:33pm

And it knows where to find your keystore?

kgvelkov · April 5, 2018, 5:35am

How can I check that? It’s in the default location (myuserfolder\.gnupg)

pie_flavor · April 5, 2018, 5:37am

I’m not sure if it automatically knows where the keyring is. I’m not familiar with Maven.