Skip to content

Commit 0db9d1e

Browse files
committed
build(release): add GPG signing plugin to release profile (D2)
Wires up Track D2 from the readiness taskboard - the second step of the Maven Central pipeline. Maven Central rejects unsigned uploads; this PR adds maven-gpg-plugin 3.2.7 to the existing release profile so the main / sources / javadoc / pom artefacts get signed during the verify phase. Off by default: new <gpg.skip>true</gpg.skip> property keeps local mvn -P release package runs working without a configured GPG key. The publish workflow (Track D4) flips it explicitly with -Dgpg.skip=false once MAVEN_GPG_PRIVATE_KEY and MAVEN_GPG_PASSPHRASE secrets are wired. gpgArguments declares --pinentry-mode loopback so non-interactive CI runs accept the passphrase from env / system property without needing a TTY for gpg-agent. Verification: mvnw -P release -DskipTests verify -pl . (default skip=true) -> BUILD SUCCESS, sign step silently skipped mvnw -P release -Dgpg.skip=false -DskipTests verify -pl . -> BUILD FAILURE with gpg exit code 2 (expected - no key configured locally; proves plugin would attempt signing) Pipeline state after this PR: artefacts (D1) + signing (D2) ready; central-publishing (D3) and workflow (D4) pending. Maintainer GPG key generation and GitHub secret wiring is the human prerequisite before D4's workflow will actually publish anything.
1 parent 1b4e791 commit 0db9d1e

2 files changed

Lines changed: 59 additions & 0 deletions

File tree

CHANGELOG.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,18 @@ JitPack continue to resolve through the existing coordinates.
2121
`./mvnw -DskipTests -P japicmp verify -pl .`; HTML/MD/XML reports
2222
land in `target/japicmp/`. JitPack repository is scoped to the
2323
`japicmp` profile, so downstream consumers do not inherit it.
24+
- **GPG signing in the `release` profile** (Track D2). Adds
25+
`maven-gpg-plugin` 3.2.7 to the existing `release` profile, binding
26+
to the `verify` phase to sign main / sources / javadoc / pom
27+
artefacts — Maven Central rejects unsigned uploads. **Off by
28+
default**: a new property `<gpg.skip>true</gpg.skip>` keeps local
29+
`mvn -P release package` runs working without a configured GPG key.
30+
The publish workflow (Track D4) flips it explicitly with
31+
`-Dgpg.skip=false` once the `MAVEN_GPG_PRIVATE_KEY` and
32+
`MAVEN_GPG_PASSPHRASE` secrets are wired. `gpgArguments` declares
33+
`--pinentry-mode loopback` so non-interactive CI runs accept the
34+
passphrase from `-Dgpg.passphrase` / `MAVEN_GPG_PASSPHRASE` without
35+
needing a TTY for `gpg-agent`.
2436
- **`release` Maven profile with sources + javadoc jars** (Track D1).
2537
Activated with `-P release`, attaches `*-sources.jar` and
2638
`*-javadoc.jar` to the `package` phase via the standard

pom.xml

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,7 @@
6767
<!-- Build plugins -->
6868
<maven.compiler.plugin.version>3.15.0</maven.compiler.plugin.version>
6969
<maven.enforcer.plugin.version>3.5.0</maven.enforcer.plugin.version>
70+
<maven.gpg.plugin.version>3.2.7</maven.gpg.plugin.version>
7071
<maven.javadoc.plugin.version>3.12.0</maven.javadoc.plugin.version>
7172
<maven.source.plugin.version>3.3.1</maven.source.plugin.version>
7273
<maven.surefire.plugin.version>3.5.5</maven.surefire.plugin.version>
@@ -78,6 +79,14 @@
7879
<!-- Binary compatibility baseline (japicmp profile) -->
7980
<japicmp.version>0.23.1</japicmp.version>
8081
<japicmp.baseline>v1.6.5</japicmp.baseline>
82+
83+
<!--
84+
GPG signing — opted in via -Dgpg.skip=false (the publish
85+
workflow does this on tag pushes). Default true so a
86+
maintainer running `mvn -P release package` locally does
87+
not need a configured GPG key.
88+
-->
89+
<gpg.skip>true</gpg.skip>
8190
</properties>
8291

8392
<dependencyManagement>
@@ -508,6 +517,44 @@
508517
</execution>
509518
</executions>
510519
</plugin>
520+
<!--
521+
GPG signing of the four published artefacts
522+
(main jar + sources + javadoc + pom). Maven
523+
Central rejects unsigned uploads.
524+
525+
Local default: `<gpg.skip>true</gpg.skip>` (set
526+
in <properties>) so `mvn -P release package`
527+
works without a configured GPG key. The publish
528+
workflow (Track D4) flips it with
529+
-Dgpg.skip=false.
530+
531+
The `gpgArguments` pinentry-mode=loopback is
532+
required for non-interactive runs (CI), where
533+
the passphrase arrives via
534+
MAVEN_GPG_PASSPHRASE / -Dgpg.passphrase and
535+
there is no TTY for gpg-agent to prompt on.
536+
-->
537+
<plugin>
538+
<groupId>org.apache.maven.plugins</groupId>
539+
<artifactId>maven-gpg-plugin</artifactId>
540+
<version>${maven.gpg.plugin.version}</version>
541+
<executions>
542+
<execution>
543+
<id>sign-artifacts</id>
544+
<phase>verify</phase>
545+
<goals>
546+
<goal>sign</goal>
547+
</goals>
548+
<configuration>
549+
<skip>${gpg.skip}</skip>
550+
<gpgArguments>
551+
<arg>--pinentry-mode</arg>
552+
<arg>loopback</arg>
553+
</gpgArguments>
554+
</configuration>
555+
</execution>
556+
</executions>
557+
</plugin>
511558
</plugins>
512559
</build>
513560
</profile>

0 commit comments

Comments
 (0)