How to set up publication signature with the Gradle plugin

Introduction

In the realm of software development, ensuring the security and integrity of your artifacts is of paramount importance. One effective approach is to sign your artifacts using GPG (GNU Privacy Guard) keys. This article will guide you through the process of setting up GPG, generating keys, and utilizing The Signing Plugin to sign artifacts before publishing them to Nexus.

1. Installing GPG

To begin, install GPG on your system:

• Linux: Open a terminal and run sudo apt-get install gnupg
• macOS: Open a terminal and run brew install gnupg
• Windows: Download the Gpg4win installer and follow the on-screen instructions.

2. Generating GPG Keys

Once GPG is installed, generate your keys:

• Open a terminal or command prompt.
• Execute gpg --full-generate-key
• Follow the interactive prompts to configure your key (type, size).
• Set a strong passphrase and remember it for later.
• Your GPG key pair will be stored in the GPG keyring.

3. Configuring The Signing Plugin

Open the build.gradle file of your project and add at the top:

plugins {
    id 'signing'
}

signing {
    sign publishing.publications
}

Provide the GPG key details in gradle.properties:

signing.keyId=YOUR_KEY_ID
signing.secretKeyRingFile=~/.gnupg/secring.gpg
signing.password=YOUR_PASSPHRASE

Note:

• To get the keyId, run gpg --list-keys --keyid-format short and use the 8-digit value.
• The secring.gpg file has been removed in GPG 2.1. You can create it with: gpg --export-secret-keys -o secring.gpg
• To upload your public key to a keyserver: gpg --keyserver hkp://keyserver.ubuntu.com --send-keys YOUR_KEY_ID

4. Publish with signing

./gradlew publishToMavenLocal
./gradlew publish