DEV Community

Vladislav Kochetov
Vladislav Kochetov

Posted on • Edited on

8 1 2

How to set up publication signature with the Gradle plugin

#gradle #gpg #signing #nexus

Introduction:

In the realm of software development, ensuring the security and integrity of your artifacts is of paramount importance. One effective approach is to sign your artifacts using GPG (GNU Privacy Guard) keys. This article will guide you through the process of setting up GPG, generating keys, and utilizing The Signing Plugin to sign artifacts before publishing them to Nexus.

1. Installing GPG:

To begin, let's install GPG on our system. Follow the instructions below:

Linux:
- Open a terminal window.
- Execute the command: sudo apt-get install gnupg

macOS:
- Open a terminal window.
- Run the command: brew install gnupg

Windows:
- Download the Gpg4win installer from the Gpg4win website.
- Run the installer and follow the on-screen instructions.

2. Generating GPG Keys:

Once GPG is installed, let's generate GPG keys. These keys will be used to sign your artifacts. Follow these steps:

  • Open a terminal or command prompt.
  • Execute the command: gpg --full-generate-key
  • Follow the interactive prompts to configure your key, such as selecting the key type and size.
  • Set a strong passphrase for your key. Remember this passphrase as you will need it later.
  • Once the key generation is complete, your GPG key pair will be stored in the GPG keyring.

3. Configuring The Signing Plugin:

  • Open the build.gradle file of your project.
  • Add the following lines to the top of the file: 
   plugins {
       id 'signing'
   }
Enter fullscreen mode Exit fullscreen mode
  • Configure the signing plugin for root project: 
   signing {
       sign publishing.publications
   }
Enter fullscreen mode Exit fullscreen mode
  • Provide the GPG key details in gradle.properties: 
signing.keyId=YOUR_KEY_ID
signing.secretKeyRingFile=~/.gnupg/secring.gpg
signing.password=YOUR_PASSPHRASE
Enter fullscreen mode Exit fullscreen mode

Note:

  • To get the keyId, you can run the following command gpg --list-keys --keyid-format short and take the 8-digit value
  • The secring.gpg file has been removed in GPG 2.1. However, GPG still can create such a file: gpg --export-secret-keys -o secring.gpg
  • To upload your public key to the keyserver, you can use the following command gpg --keyserver hkp://keyserver.ubuntu.com --send-keys YOUR_KEY_ID

4. Publish with signing:

./gradlew publishToMavenLocal
./gradlew publish

profile
Sentry
 Promoted

Sentry image

Hands-on debugging session: instrument, monitor, and fix

Join Lazar for a hands-on session where you’ll build it, break it, debug it, and fix it. You’ll set up Sentry, track errors, use Session Replay and Tracing, and leverage some good ol’ AI to find and fix issues fast.

RSVP here →

Top comments (0)

profile
Coherence
 Promoted

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

Read next

ashitosh_shinde_2c5c23dc4 profile image

How to write blog on Dev.to

Ashitosh Shinde -

poobalan1210 profile image

Know what's inside your AWS S3 bucket using Rekognition and Bedrock

Poobalan -

jetthoughts-dev profile image

Unlocking Success: 12 Innovative B2B Marketing Strategies for 2024

JetThoughts Dev -

githubopensource profile image

n8n: The Workflow Automation Swiss Army Knife You Need!

GitHubOpenSource -

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay