Release artifacts are signed. This is handled by the GitHub workflow.
To test the creation of signed artifacts on the local machine, follow steps below:
- Change property
VERSION_NAMEingradle.propertiesso that it does not end with-SNAPSHOT. Whenever the version ends with-SNAPSHOT, the artifacts are never signed. Make sure that this change is not committed. - Use GPG to generate a key. Maven requires a RSA key of at least 4096 bits. Most likely it does not matter for local publication whether this is used. Execute command:
gpg --full-gen-key- Please select what kind of key you want: 1) RSA - RSA
- What keysize do you want? 4096
- Key is valid for? 0 (does not expire)
- Real-name: ktlint-test
- Email address: ktlint-test@nowhere.com
- Comment: Test signing of ktlint artifacts on local machine only
- Passphrase: i-will-try-no-to-forget-this-passphrase
- The output ends with something like
pub rsa4096 2023-10-08 [SC] 5B0ABB03277D2FEB46FE7E8E22D6006063A5D3C3 uid ktlint-test (Test signing of ktlint artifacts on local machine only) <ktlint-test@nowhere.com> sub rsa4096 2023-10-08 [E] - Execute all commands below in the same terminal
export ORG_GRADLE_PROJECT_signingKeyId="63A5D3C3" # Last 8 characters of full id of the public key generated by gpg command above export ORG_GRADLE_PROJECT_signingKeyPassword="i-will-try-no-to-forget-this-passphrase" # Command below will export the armored GPG signing key and store it in an environment variable. Note that this command will ask for the password (see ORG_GRADLE_PROJECT_signingKeyPassword). export ORG_GRADLE_PROJECT_signingKey="$(gpg --export-secret-keys --armor $ORG_GRADLE_PROJECT_signingKeyId | tail -r | tail -n +3 | tail -r | tail -n +3 | tr -d '\n')"
- Execute the Gradle publication (this can not be combined with the export statements above because of the manual input of the passphrase)
./gradlew publishToMavenLocal