...
(taken from Apache Pulsar: https://github.com/apache/pulsar/wiki/Create-GPG-keys-to-sign-release-artifacts)
All artifacts must be signed by the release build. In order to be able to do this you need to setup GPG.
The key being used to sign the artifacts will have to be linked to your Apache E-Mail ({apache-id}@apache.org) and verified by at least one fellow Apache committer (Ideally more) that have trusted keys themselves. Usually for this you have to get in touch - in real life - with any Apache committer with a trusted key. Attending an ApacheCon
is usually a great way to do this as usually every ApacheCon has a Key Signing event
in it’s schedule. He can then sign your key and hereby enable you to sign Apache release artifacts. There’s a detailed description here.
Info | ||
---|---|---|
| ||
https://infra.apache.org/release-signing This is a condensed version of instructions available at http://apache.org/dev/openpgp.html |
This is a condensed version of instructions available at
The following steps are required in order to create a new GPG key and upload it to the KEYS file:
...
Repeat the same operation for the release KEYS file:
Info |
---|
If you are not PMC, you can ignore it. |
Code Block | ||||
---|---|---|---|---|
| ||||
svn co https://dist.apache.org/repos/dist/release/incubator/streampipes # ... Same as above ( gpg --list-sigs $USER@apache.org gpg --export --armor $USER@apache.org ) >> KEYS # Commit to SVN svn ci -m "Added gpg key for $USER" |
...
So if you don’t already have one, you should create a .m2
directory in your user home and inside that create a settings.xml
file with at least this content:
Code Block | ||||
---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8"?>
<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<servers>
<!-- Apache Repo Settings -->
<server>
<id>apache.snapshots.https</id>
<username>{user-id}</username>
<password>{user-pass}</password>
</server>
<server>
<id>apache.releases.https</id>
<username>{user-id}</username>
<password>{user-pass}</password>
</server>
</servers>
</settings> |
This tells maven to use above credentials as soon as a repository with the id apache.snapshots.https
or apache.releases.https
is being used. For a release all you need is the releases
repo, but it is good to have the other in place as it enables you to also deploy SNAPSHOTs from your system. There repos are defined in the apache
parent pom and is identical for all Apache projects.
Additionally all artifacts are automatically signed by the release build. In order to be able to do this you need to setup GPG.
The key being used to sign the artifacts will have to be linked to your Apache E-Mail ({apache-id}@apache.org) and verified by at least one fellow Apache committer (Ideally more) that have trusted keys themselves. Usually for this you have to get in touch - in real life - with any Apache committer with a trusted key. Attending an ApacheCon
is usually a great way to do this as usually every ApacheCon has a Key Signing event
in it’s schedule. He can then sign your key and hereby enable you to sign Apache release artifacts.
There’s a detailed description here.
Configure GPG for Maven:
If you happen to have multiple keys, adding the following profile to your settings.xml
should help:
Code Block | ||||
---|---|---|---|---|
| ||||
<profile>
<id>apache-release</id>
<properties>
<gpg.keyname>5C60D6B9</gpg.keyname><!-- Your GPG Keyname here -->
<!-- Use an agent: Prevents being asked for the password during the build -->
<gpg.useagent>true</gpg.useagent>
<gpg.passphrase>topsecret-password</gpg.passphrase>
</properties>
</profile> |