How can I automatically sign my plugin using GPG?

kgvelkov · 2018-04-02 14:25:06 UTC

Hi there,

I’m looking into applying to add my plugin to the Ore plugin repository, but I read in the requirements that the JAR has to be GPG signed. Of course, I can do that manually, but I’d like to do it automatically? Is there any way to do it? I use Maven as my build system.

RandomByte · 2018-04-02 18:44:59 UTC

I love this tool: PromptSign - Gradle plugin for build-time sign plugin configuration by @pie_flavor

kgvelkov · 2018-04-02 18:56:20 UTC

I use Maven as my build system.

RandomByte · 2018-04-02 20:27:06 UTC

I don’t know Maven very well. You may want to consider switching just for this tool.

Luck · 2018-04-02 23:30:48 UTC

Just add the following to your pom.xml file

<plugins>
    <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-gpg-plugin</artifactId>
        <version>1.6</version>
        <executions>
            <execution>
                <id>sign-artifacts</id>
                <phase>verify</phase>
                <goals>
                    <goal>sign</goal>
                </goals>
            </execution>
        </executions>
    </plugin>
</plugins>

kgvelkov · 2018-04-03 08:08:20 UTC

@Luck I added that, but I get this error:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts): Unable to execute gpg command: Error while executing process. Cannot run program "gpg.exe": CreateProcess error=2, The system cannot find the file specified -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

Luck · 2018-04-03 18:59:47 UTC

Uhh, you need to install GPG on your system.

https://gpg4win.org/download.html

kgvelkov · 2018-04-03 19:03:10 UTC

I installed it, and now it finds gpg.exe, but now there’s a different error

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts) on project: Exit code: 2 -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

pie_flavor · 2018-04-03 23:27:31 UTC

Did you configure your keys, and use gpg.passphrase in the build arguments?

kgvelkov · 2018-04-04 10:10:06 UTC

I’m already using my GPG key in GitHub to sign my commits, so it should be set up.
I’m executing clean verify -Dgpg.passphrase=mypassword, but it still gives the same error

pie_flavor · 2018-04-04 23:33:27 UTC

And it knows where to find your keystore?

kgvelkov · 2018-04-05 05:35:28 UTC

How can I check that? It’s in the default location (myuserfolder\.gnupg)

pie_flavor · 2018-04-05 05:37:26 UTC

I’m not sure if it automatically knows where the keyring is. I’m not familiar with Maven.