gnupg very basically
I’m trying to get jslint4java into central, via oss.sonatype.org. Part of this requires that you use the maven-gpg-plugin to sign your artifacts. All well & good, but I’ve never used GPG before (though I’ve been playing with SSL certificates for years).
So, following along the howto, I did:
$ gpg --gen-key gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 1 DSA keypair will have 1024 bits. ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <email@example.com>" Real name: Dominic Mitchell Email address: firstname.lastname@example.org Comment: You selected this USER-ID: "Dominic Mitchell <email@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++.++++++++++.++++++++++.+++++++++++++++.+++++++++++++++.+++++...++++++++++.+++++.+++++++++++++++++++++++++++++++++++++++++++++++++++++++>++++++++++>+++++......+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ..++++++++++++++++++++.++++++++++++++++++++++++++++++...++++++++++++++++++++++++++++++.++++++++++++++++++++++++++++++.+++++++++++++++.+++++...++++++++++.+++++>.++++++++++>..+++++>+++++.......+++++^^^ gpg: /Users/dom/.gnupg/trustdb.gpg: trustdb created gpg: key A24D5076 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/A24D5076 2009-06-24 Key fingerprint = 2F2E 85D8 A945 41C2 B7D1 667A 8616 2CE5 A24D 5076 uid Dominic Mitchell <firstname.lastname@example.org> sub 2048g/4C2D8074 2009-06-24
As an aside, I am using gnupg 1, as I had some issues with the maven-plugin and gnupg 2. And it was simpler to just install gnupg 1 than fix the issues. 🙂
This creates a bunch of files in
$ ls -l ~/.gnupg total 64 -rw------- 1 dom dom 9154 21 Jun 20:39 gpg.conf -rw------- 1 dom dom 1171 24 Jun 20:44 pubring.gpg -rw------- 1 dom dom 1171 24 Jun 20:44 pubring.gpg~ -rw------- 1 dom dom 600 24 Jun 20:44 random_seed -rw------- 1 dom dom 1320 24 Jun 20:44 secring.gpg -rw------- 1 dom dom 1280 24 Jun 20:44 trustdb.gpg
Next, it needs to be published on to one of the key servers. The default configuration comes set up with a keyserver keys.gnupg.net. You can send your key up there easily:
$ gpg --send-keys A24D5076 gpg: sending key A24D5076 to hkp server keys.gnupg.net
And now it’s published.
Integrating this with your maven build is fairly simple. The example configuration works exactly as expected. I did one thing slightly differently: I created a gpg profile, and then referenced that from the release plugin. That means I’ll only sign releases, not all builds. Which seems reasonable enough to me.
<project> <build> <pluginManagement> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-release-plugin</artifactId> <version>2.0-beta-9</version> <configuration> <releaseProfiles>gpg</releaseProfiles> </configuration> </plugin> </plugins> </pluginManagement> </build> <profiles> <profile> <id>gpg</id> <build> <plugins> <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> … </plugin> </plugins> </build> </profile> </profiles> </project>