Implement release signing
Closed this issue · 1 comments
ALRubinger commented
Not actually being signed now.
And we need policies and process around key storage, rotation, etc.
Taking the config out of the build now; to be put back when we can address comprehensively. This isn't something we can do prior to full procedures in place, as signing has to have excellent controls and clear verification to consumers.
Configs to inspect:
release-publish-tbd-artifactory.yml
# Adapted from: https://gist.github.com/sualeh/ae78dc16123899d7942bc38baba5203c
- name: Install gpg secret key
run: |
# Install gpg secret key
cat <(echo -e "${{ secrets.GPG_SECRET_KEY }}") | gpg --batch --import
# Verify gpg secret key
gpg --list-secret-keys --keyid-format LONG
and in the Release and Publish to TBD Artifactory element where we do mvn deploy:
\
-Dgpg.passphrase=${{ secrets.GPG_SECRET_PASSPHRASE }}
pom.xml
<profile>
<id>release-sign-artifacts</id>
<activation>
<property>
<name>performRelease</name>
<value>true</value>
</property>
</activation>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
<configuration>
<!-- As advised by https://gist.github.com/sualeh/ae78dc16123899d7942bc38baba5203c -->
<gpgArguments>
<arg>--pinentry-mode</arg>
<arg>loopback</arg>
</gpgArguments>
</configuration>
</plugin>
</plugins>
</build>
</profile>
When put back, will also need to go into publish-maven-central.yml.
ALRubinger commented
Needs to be handled in #217
https://central.sonatype.org/publish/requirements/
It's a publish requirement for Maven Central.