-
Notifications
You must be signed in to change notification settings - Fork 9
How to create a gpg key
No matter what publishing platform you use, it's important that you sign every release you cut. Signing releases ensure users that your software has not been manipulated by third parties.
This process is so important that some repositories like Maven Central do not allow you to release software if it's not signed. Whether you publish to Maven Central or not, we strongly encourage you to follow this guide.
If you already have a personal gpg key, we recommend that you create a different one for publishing in your CI to minimize your risk in case it becomes exposed. If something happens to this key, it should not enable others to read your private email.
- Create a directory to store your CI keys and
cdinto it:mkdir ci-keys && cd ci-keys. - Generate your key with
gpg --homedir . --gen-keyand enter your details. You should avoid using special characters or spaces if you are deploying using Travis CI, as escaping is necessary.
Now that you have created your key, let's get the ascii files that
sbt-pgp will requires us later down the road.
In the same directory as before (ci-keys), follow these steps:
- Export the public key out of your new key:
gpg --homedir . -a --export > pubring.asc. - Export the secret out of your new key:
gpg --homedir . -a --export-secret-keys > secring.asc.
This guide has been tested with GnuPG 2.1.21:
gpg (GnuPG) 2.1.21
libgcrypt 1.7.8
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
If you're stuck, this detailed manual can help you out.
Read this guide and
export your public and secret keys to ASCII files pubring.asc and secring.asc respectively.
Note that in Travis CI, the travis gem will error out and may not be usable on Windows.
To release your software to Maven Central, you need to publish your GPG key in a directory so that others can check that it belongs to your. There are lots of gpg directories, but we recommend the MIT pgp server.
The procedure to publish your gpg public key is as follows:
- Visit the website.
- Copy-paste the contents of
pubring.asc, produced by the previous section, in the form with a "Submit a key" header. - Submit the form.
Done. If there hasn't been any error, your key should be already published to the public gpg server.
This is a Scala Center project, originally created by jvican. It now powers the Scala Platform sbt plugin and several Scala Center projects. If you find it useful, give the Center a shout-out in our official Twitter account or let us know in our Gitter channel. Your feedback is important and motivates us to keep improving this plugin.