Sign published artifacts

Description

Need to set up keys. Otherwise, applying the signing is pretty straight-forward...

In `published-java-module`, add the following:

is duplicated by

Activity

Show:

Steve EbersoleJanuary 26, 2022 at 12:52 PM

I don’t think I have yet successfully released 6.0 from the CI job

Yoann RodièreJanuary 26, 2022 at 12:43 PM
Edited

FYI the PGP key is available on Jenkins CI; however, you need to import it into gpg before your build. And above all, you need to make sure to remove it after the build (even if the build fails), so that we don’t expose the key to, say, pull request builds.

See:

  • setting up the environment variables in the Jenkinsfile (I’m sure you can get an equivalent configuration in a “legacy” job defined through UI): and also

  • importing the key

  • taking advantage of the environment variables in the Maven/Gradle build:

Fixed

Details

Assignee

Reporter

Components

Fix versions

Priority

Created May 14, 2021 at 4:15 PM
Updated March 9, 2022 at 3:20 AM
Resolved February 7, 2022 at 2:17 PM