Creates Open PGP / GPG signatures for all of the project's artifacts without any external software.
This plugin can replace maven-gpg-plugin in an easy way and provide new features.
- all the signing operations are done using
Bouncy Castle - support Maven
3.6and is ready for next version4.0of Maven - support
subkeyfor signing - easy to use on CI system, configuration can be provided by environment variables
- key passphrase can be encrypted by standard Maven Password Encryption
- no needed store private key on CI system - you can use key from environment variable
Please look at our tutorial
<plugins>
<plugin>
<groupId>org.simplify4u.plugins</groupId>
<artifactId>sign-maven-plugin</artifactId>
<version><!-- check releases page --></version>
<executions>
<execution>
<goals>
<goal>sign</goal>
</goals>
<configuration>
<keyId><!-- key id in hex --></keyId>
<keyPass><!-- private key passphrase --></keyPass>
<keyFile><!-- private key file location --></keyFile>
</configuration>
</execution>
</executions>
</plugin>
...
</plugins>Key configuration can be provided by environment variables: SIGN_KEY, SIGN_KEY_ID, SIGN_KEY_PASS.
When using environment variables for configuration, SIGN_KEY - must contain private key content - not file path for key
So your pom configuration can be simplified to:
<plugins>
<plugin>
<groupId>org.simplify4u.plugins</groupId>
<artifactId>sign-maven-plugin</artifactId>
<version><!-- check releases page --></version>
<executions>
<execution>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
...
</plugins>You can find more information about configuration options on the site:
https://www.simplify4u.org/sign-maven-plugin/
Each build of current version is deployed to sonatype snapshots repository.