s4u / sign-maven-plugin

Maven plugin which creates Open PGP / GPG signatures for all of the project's artifacts
https://www.simplify4u.org/sign-maven-plugin/
Apache License 2.0
47 stars 7 forks source link

Support using this plugin out of maven projects #141

Open ymaskin opened 2 years ago

ymaskin commented 2 years ago

I'm using mvn gpg:sign-and-deploy-file to sign and create a staging repo from an existing artifact (Built using Gradle in android) before publishing it to the Nexus repo (Sonatype) The main issue I'm facing currently is using this method in CI/CD because I need to share the same gpg key across all my agents in the cloud.

I would like to have a Solution as you provide, signing with the private key stored in environment variables without need to copy and share the full .gnupg directory.

Is there a way to use your plugin in that kind of situation? in all the examples I see a project pom.xml file but I don't have one, if you have a way to do that using CLI commands it will be great...

Thanks

slawekjaranowski commented 2 years ago

When you build your project by gradle, you can use gradle Signing plugin, you can provide keys in environment variables

https://docs.gradle.org/current/userguide/signing_plugin.html#sec:in-memory-keys

ymaskin commented 2 years ago

@slawekjaranowski Thank you for your response. I need to sign an existing artifact from the Jfrog artifactory (In this step I'm not using Gradle). I found a way to do that using the maven plugin with this command: mvn gpg:sign-and-deploy-file Is there a way to sign it with the private key itself without having all the files under the .gnupg directory? I need to do it on multiple agents on Jenkins and I prefer to store my private key instead of creating this directory dynamically

slawekjaranowski commented 2 years ago

Maven artifacts are immutable by design. You should not change existing artifacts.

https://central.sonatype.org/faq/can-i-change-a-component/

ymaskin commented 2 years ago

I'm not changing my Artifacts. I'm using Jfrog as staging and for development and want to publish the same artifact to maven central through Sonatype. For this, I must sign the original artifacts by Sonatype requirements and I found a way to do that very smoothly using the maven plugin. The maven plugin provides the command mvn gpg:sign-and-deploy-file that uses gpg key from .gnupg under the Home directory for signing. It provides a way to choose which key but not providing a way to pass the actual private key as string or through Environment variables. Can your plugin solve this for me?

The other option will be copying the whole .gnupg directory and exporting it to all my agents in the cloud or by using a docker and pasting that directory there but it seems too complicated and kind of messy