Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support using this plugin out of maven projects #141

Open
ymaskin opened this issue Nov 14, 2022 · 4 comments
Open

Support using this plugin out of maven projects #141

ymaskin opened this issue Nov 14, 2022 · 4 comments
Labels
question Further information is requested.

Comments

@ymaskin
Copy link

ymaskin commented Nov 14, 2022

I'm using mvn gpg:sign-and-deploy-file to sign and create a staging repo from an existing artifact (Built using Gradle in android) before publishing it to the Nexus repo (Sonatype)
The main issue I'm facing currently is using this method in CI/CD because I need to share the same gpg key across all my agents in the cloud.

I would like to have a Solution as you provide, signing with the private key stored in environment variables without need to copy and share the full .gnupg directory.

Is there a way to use your plugin in that kind of situation? in all the examples I see a project pom.xml file but I don't have one, if you have a way to do that using CLI commands it will be great...

Thanks
@slawekjaranowski
Copy link
Member

When you build your project by gradle, you can use gradle Signing plugin, you can provide keys in environment variables

https://docs.gradle.org/current/userguide/signing_plugin.html#sec:in-memory-keys

@slawekjaranowski slawekjaranowski added the question Further information is requested. label Nov 14, 2022
@ymaskin
Copy link
Author

ymaskin commented Nov 15, 2022
edited
Loading

@slawekjaranowski Thank you for your response.
I need to sign an existing artifact from the Jfrog artifactory (In this step I'm not using Gradle). I found a way to do that using the maven plugin with this command:
mvn gpg:sign-and-deploy-file
Is there a way to sign it with the private key itself without having all the files under the .gnupg directory?
I need to do it on multiple agents on Jenkins and I prefer to store my private key instead of creating this directory dynamically

@slawekjaranowski
Copy link
Member

Maven artifacts are immutable by design.
You should not change existing artifacts.

https://central.sonatype.org/faq/can-i-change-a-component/

@ymaskin
Copy link
Author

ymaskin commented Nov 15, 2022
edited
Loading

I'm not changing my Artifacts.
I'm using Jfrog as staging and for development and want to publish the same artifact to maven central through Sonatype.
For this, I must sign the original artifacts by Sonatype requirements and I found a way to do that very smoothly using the maven plugin.
The maven plugin provides the command mvn gpg:sign-and-deploy-file that uses gpg key from .gnupg under the Home directory for signing. It provides a way to choose which key but not providing a way to pass the actual private key as string or through Environment variables.
Can your plugin solve this for me?

The other option will be copying the whole .gnupg directory and exporting it to all my agents in the cloud or by using a docker and pasting that directory there but it seems too complicated and kind of messy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested.
Milestone
No milestone
Development

No branches or pull requests
2 participants
@slawekjaranowski @ymaskin