Skip to content

Instantly share code, notes, and snippets.

@typelogic

typelogic/gradlesigning.md

Forked from phit/gradlesigning.md
Created November 9, 2020 07:58
Show Gist options
  • Save typelogic/cc53fe50406c85a4d97a622735fb3147 to your computer and use it in GitHub Desktop.
Save typelogic/cc53fe50406c85a4d97a622735fb3147 to your computer and use it in GitHub Desktop.
Download ZIP
Gradle Signing for Dummies
Raw
gradlesigning.md

Setup

Windows

Download the GnuPG binary release for windows current version from the official site and install it.

Linux

Grab the latest gpg from your package manager if it's not installed already anyway ;)

Making & exporting a keyring to use with gradle signing

Open a command prompt and run gpg --gen-key this will guide you through the creation of your first keypair. Make sure to enter a secure passphrase which you can remember!

Since GPG 2.1* the only fileformat supported by the Gradle Signing plugin is no longer used by default for GPG, to get around that we export the keypair we just created to the old format.

Again open a command prompt and figure out the keyid for your keypair by running:

gpg --list-key

Example output:

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2019-06-17
C:/Users/phit/AppData/Roaming/gnupg/pubring.kbx
-----------------------------------------------
pub   rsa2048 2017-06-17 [SC] [expires: 2019-06-17]
      77273D57FA5140E5A91905087A1B92B81840D019
uid           [ultimate] phit@hush.com
sub   rsa2048 2017-06-17 [E] [expires: 2019-06-17]

In this case we only have one key, 77273D57FA5140E5A91905087A1B92B81840D019 or short* 1840D019 which is basically just the last 8 characters of the long ID.

Run this command to export a keyring in the format needed for gradle singning, replace the XXXXXXXX with your keyid. You will have to enter your passphrase for this.

gpg --export-secret-key XXXXXXXX > %UserProfile%/Desktop/secring.gpg

This will create a file on your Desktop called secring.gpg, hang on to it this is the file we need for Gradle.

Configuring automatic signing after building

build.gradle

First we need to add the signing plugin, to the gradle plugin list at the top just add id 'signing' like so:

plugins {
    id 'java'
    id 'idea'
    id 'signing'
    id 'org.spongepowered.plugin' version '0.6'
}

Then add this at the very bottom of your build.gradle

signing {
    if (project.hasProperty('signing.keyId') && project.hasProperty('signing.password') && project.hasProperty('signing.secretKeyRingFile')) {
        sign configurations.archives
        
        /* Uncomment this if you use shadow in your build process */
        // sign configurations.shadow
    }
}

The if clause makes sure to only run the signing if you have defined the necessary properties for your project, also note the commented out area about using the shadow plugin.

gradle.properties

Note: Do not share your gradle.properties or secring.gpg on git(hub) or with anyone else!

Since we don't want the passphrase to be part of your normal gradle config, you have to create a gradle.properties with the following values, KeyID in short (see above if you forgot how to get that one), your passphrase and the path to your secring.gpg. In the end it should look like this:

signing.keyId=XXXXXXXX
signing.password=mypassword
signing.secretKeyRingFile=path/to/secring.gpg

That's it now if you run your normal build, all jars will be automatically signed and you will find an additional asc file in your build output directory.

If you have any question, you can reach me on discord at phit#4970.

Other useful documentation

Commonly used GPG command cheatsheet with simple explanations: http://irtfweb.ifa.hawaii.edu/~lockhart/gpg/
Gradle Signing Docs: https://docs.gradle.org/current/userguide/signing_plugin.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment