How can I automatically sign my plugin using GPG?


#1

Hi there,

I’m looking into applying to add my plugin to the Ore plugin repository, but I read in the requirements that the JAR has to be GPG signed. Of course, I can do that manually, but I’d like to do it automatically? Is there any way to do it? I use Maven as my build system.


#2

I love this tool: PromptSign - Gradle plugin for build-time sign plugin configuration by @pie_flavor


#3

I use Maven as my build system.


#4

I don’t know Maven very well. You may want to consider switching just for this tool.


#5

Just add the following to your pom.xml file

<plugins>
    <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-gpg-plugin</artifactId>
        <version>1.6</version>
        <executions>
            <execution>
                <id>sign-artifacts</id>
                <phase>verify</phase>
                <goals>
                    <goal>sign</goal>
                </goals>
            </execution>
        </executions>
    </plugin>
</plugins>

#6

@Luck I added that, but I get this error:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts): Unable to execute gpg command: Error while executing process. Cannot run program "gpg.exe": CreateProcess error=2, The system cannot find the file specified -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

#7

Uhh, you need to install GPG on your system.

https://gpg4win.org/download.html


#8

I installed it, and now it finds gpg.exe, but now there’s a different error

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts) on project: Exit code: 2 -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

#9

Did you configure your keys, and use gpg.passphrase in the build arguments?


#10

I’m already using my GPG key in GitHub to sign my commits, so it should be set up.
I’m executing clean verify -Dgpg.passphrase=mypassword, but it still gives the same error :frowning:


#11

And it knows where to find your keystore?


#12

How can I check that? It’s in the default location (myuserfolder\.gnupg)


#13

I’m not sure if it automatically knows where the keyring is. I’m not familiar with Maven.