Signing

Signing ensures that the artifacts have been generated by yourself and your users can verify that by comparing the generated signature with your public signing key.

JReleaser can sign all files, including distribution archives and any extra files attached to the project. This section must be configured if you intend to sign commits as well. You may sign using PGP or Sigstore's cosign.

Use the following options to customize how files may be signed:

Legend:

  • required

  • optional

  • may use environment variable

  • accepts Name Templates

  • YAML

  • TOML

  • JSON

  • Maven

  • Gradle

# 
signing:
  # Enables or disables file signing.
  # Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
  # Defaults to `NEVER`.
  # 
  active: ALWAYS

  # Generates an armored signature.
  # Defaults to `false`.
  # 
  armored: true

  # How should GPG keys be handled.
  # Valid values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
  # Defaults to `MEMORY`.
  # 
  mode: MEMORY

  # The passphrase required to read secret keys.
  # If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
  # environment variable must be defined.
  #  
  passphrase: __DO_NOT_SET_HERE__

  # The public GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
  # environment variable must be defined.
  # Required when mode = `MEMORY` || `FILE`.
  #  
  publicKey: __DO_NOT_SET_HERE__

  # The private GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
  # environment variable must be defined.
  # Required when mode = `MEMORY` || `FILE`.
  #  
  secretKey: __DO_NOT_SET_HERE__

  # Sign files.
  # Defaults to `true`.
  # 
  files: true

  # Sign distribution artifacts.
  # Defaults to `true`.
  # 
  artifacts: true

  # Sign checksum files.
  # Defaults to `true`.
  # 
  checksums: true

  # Settings used when mode = `COMMAND`.
  # 
  command:
    # The executable used for signing.
    # If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
    # environment variable must be defined.
    # Defaults to `gpg[.exe]`.
    # When mode = `COMMAND`.
    #  
    executable: gpg

    # The directory from which gpg will load keyrings.
    # If left unspecified, the `JRELEASER_GPG_HOMEDIR`
    # environment variable must be defined.
    # Defaults to empty.
    # When mode = `COMMAND`.
    #  
    homeDir: /home/users/duke/.gnugpg

    # The "name" of the key to sign with.
    # If left unspecified, the `JRELEASER_GPG_KEYNAME`
    # environment variable must be defined.
    # Defaults to empty.
    # When mode = `COMMAND`.
    #  
    keyName: 0CB28B71EF50

    # The path to a public keyring to add to the list of keyrings.
    # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
    # environment variable must be defined.
    # Defaults to empty.
    # When mode = `COMMAND`.
    #  
    publicKeyring: my-pubring.gpg

    # Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
    # Defaults to `true`.
    # When mode = `COMMAND`.
    # 
    defaultKeyring: true

    # Sets the arguments to be passed to gpg.
    # When mode = `COMMAND`.
    # 
    args:
      - '--no-random-seed-file'

  # Settings used when mode = `COSIGN`.
  # 
  cosign:
    # Tool version.
    # 
    version: 1.4.1

    # The private cosign key.
    # If left unspecified, the `JRELEASER_COSIGN_PRIVATE_KEY`
    # environment variable must be defined.
    #  
    privateKeyFile: __DO_NOT_SET_HERE__

    # The public cosign key.
    # If left unspecified, the `JRELEASER_COSIGN_PUBLIC_KEY`
    # environment variable must be defined.
    #  
    publicKeyFile: __DO_NOT_SET_HERE__
# 
[signing]
  # Enables or disables file signing.
  # Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
  # Defaults to `NEVER`.
  # 
  active = "ALWAYS"

  # Generates an armored signature.
  # Defaults to `false`.
  # 
  armored = true

  # How should GPG keys be handled.
  # Valid values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
  # Defaults to `MEMORY`.
  # 
  mode = 'MEMORY'

  # The passphrase required to read secret keys.
  # If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
  # environment variable must be defined.
  #  
  passphrase = "__DO_NOT_SET_HERE__"

  # The public GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
  # environment variable must be defined.
  # Required when mode = `MEMORY` || `FILE`.
  #  
  publicKey = "__DO_NOT_SET_HERE__"

  # The private GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
  # environment variable must be defined.
  # Required when mode = `MEMORY` || `FILE`.
  #  
  secretKey = "__DO_NOT_SET_HERE__"

  # Sign files.
  # Defaults to `true`.
  # 
  files = true

  # Sign distribution artifacts.
  # Defaults to `true`.
  # 
  artifacts = true

  # Sign checksum files.
  # Defaults to `true`.
  # 
  checksums = true

  # Settings used when mode = `COMMAND`.
  # 

  # The executable used for signing.
  # If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
  # environment variable must be defined.
  # Defaults to `gpg[.exe]`.
  # When mode = `COMMAND`.
  #  
  command.executable = "gpg"

  # The directory from which gpg will load keyrings.
  # If left unspecified, the `JRELEASER_GPG_HOMEDIR`
  # environment variable must be defined.
  # Defaults to empty.
  # When mode = `COMMAND`.
  #  
  command.homeDir = "/home/users/duke/.gnugpg"

  # The "name" of the key to sign with.
  # If left unspecified, the `JRELEASER_GPG_KEYNAME`
  # environment variable must be defined.
  # Defaults to empty.
  # When mode = `COMMAND`.
  #  
  command.keyName = "0CB28B71EF50"

  # The path to a public keyring to add to the list of keyrings.
  # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
  # environment variable must be defined.
  # Defaults to empty.
  # When mode = `COMMAND`.
  #  
  command.publicKeyring = "my-pubring.gpg"

  # Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
  # Defaults to `true`.
  # When mode = `COMMAND`.
  # 
  command.defaultKeyring = "true"

  # Sets the arguments to be passed to gpg.
  # When mode = `COMMAND`.
  # 
  command.args = ["--no-random-seed-file"]

  # Settings used when mode = `COSIGN`.
  # 

  # Tool version.
  # 
  cosign.version = "1.4.1"

  # The private cosign key.
  # If left unspecified, the `JRELEASER_COSIGN_PRIVATE_KEY`
  # environment variable must be defined.
  #  
  cosign.privateKeyFile = "__DO_NOT_SET_HERE__"

  # The public cosign key.
  # If left unspecified, the `JRELEASER_COSIGN_PUBLIC_KEY`
  # environment variable must be defined.
  #  
  cosign.publicKeyFile = "__DO_NOT_SET_HERE__"
{
  // 
  "signing": {
    // Enables or disables file signing.
    // Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
    // Defaults to `NEVER`.
    // 
    "active": "ALWAYS",

    // Generates an armored signature.
    // Defaults to `false`.
    // 
    "armored": true,

    // How should GPG keys be handled.
    // Valid values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
    // Defaults to `MEMORY`.
    // 
    "mode": "MEMORY",

    // The passphrase required to read secret keys.
    // If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
    // environment variable must be defined.
    //  
    "passphrase": "__DO_NOT_SET_HERE__",

    // The public GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
    // environment variable must be defined.
    // Required when mode = `MEMORY` || `FILE`.
    //  
    "publicKey": "__DO_NOT_SET_HERE__",

    // The private GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
    // environment variable must be defined.
    // Required when mode = `MEMORY` || `FILE`.
    //  
    "secretKey": "__DO_NOT_SET_HERE__",

    // Sign files.
    // Defaults to `true`.
    // 
    "files": true,

    // Sign distribution artifacts.
    // Defaults to `true`.
    // 
    "artifacts": true,

    // Sign checksum files.
    // Defaults to `true`.
    // 
    "checksums": true,

    // Settings used when mode = `COMMAND`.
    // 
    "command": {

      // The executable used for signing.
      // If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
      // environment variable must be defined.
      // Defaults to `gpg[.exe]`.
      // When mode = `COMMAND`.
      //  
      "executable": "gpg",

      // The directory from which gpg will load keyrings.
      // If left unspecified, the `JRELEASER_GPG_HOMEDIR`
      // environment variable must be defined.
      // Defaults to empty.
      // When mode = `COMMAND`.
      //  
      "homeDir": "/home/users/duke/.gnugpg",

      // The "name" of the key to sign with.
      // If left unspecified, the `JRELEASER_GPG_KEYNAME`
      // environment variable must be defined.
      // Defaults to empty.
      // When mode = `COMMAND`.
      //  
      "keyName": "0CB28B71EF50",

      // The path to a public keyring to add to the list of keyrings.
      // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
      // environment variable must be defined.
      // Defaults to empty.
      // When mode = `COMMAND`.
      //  
      "publicKeyring": "my-pubring.gpg",

      // Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
      // Defaults to `true`.
      // When mode = `COMMAND`.
      // 
      "defaultKeyring": true,

      // Sets the arguments to be passed to gpg.
      // When mode = `COMMAND`.
      // 
      "args": [
        "--no-random-seed-file"
      ]
    },

    // Settings used when mode = `COSIGN`.
    // 
    "cosign": {
      // Tool version.
      // 
      "version": "1.4.1",

      // The private cosign key.
      // If left unspecified, the `JRELEASER_COSIGN_PRIVATE_KEY`
      // environment variable must be defined.
      //  
      "privateKeyFile": "__DO_NOT_SET_HERE__",

      // The public cosign key.
      // If left unspecified, the `JRELEASER_COSIGN_PUBLIC_KEY`
      // environment variable must be defined.
      //  
      "publicKeyFile": "__DO_NOT_SET_HERE__"
    }
  }
}
<jreleaser>
  <!--
    
  -->
  <signing>

    <!--
      Enables or disables file signing.
      Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
      Defaults to `NEVER`.
      
    -->
    <active>ALWAYS</active>

    <!--
      Generates an armored signature.
      Defaults to `false`.
      
    -->
    <armored>true</armored>

    <!--
      How should GPG keys be handled.
      Valid values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
      Defaults to `MEMORY`.
      
    -->
    <mode>MEMORY</mode>

    <!--
      The passphrase required to read secret keys.
      If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
      environment variable must be defined.
      Required when mode = `MEMORY` || `FILE`.
       
    -->
    <passphrase>__DO_NOT_SET_HERE__</passphrase>

    <!--
      The public GPG (ascii armored) used to sign files and commits.
      If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
      environment variable must be defined.
      Required when mode = `MEMORY` || `FILE`.
       
    -->
    <publicKey>__DO_NOT_SET_HERE__</publicKey>

    <!--
      The private GPG (ascii armored) used to sign files and commits.
      If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
      environment variable must be defined.
       
    -->
    <secretKey>__DO_NOT_SET_HERE__</secretKey>

    <!--
      Sign files.
      Defaults to `true`.
      
    -->
    <files>true</files>

    <!--
      Sign distribution artifacts.
      Defaults to `true`.
      
    -->
    <artifacts>true</artifacts>

    <!--
      Sign checksum files.
      Defaults to `true`.
      
    -->
    <checksums>true</checksums>

    <!--
      Settings used when mode = `COMMAND`.
      
    -->
    <command>
      <!--
        The executable used for signing.
        If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
        environment variable must be defined.
        Defaults to `gpg[.exe]`.
        When mode = `COMMAND`.
         
      -->
      <executable>gpg</executable>

      <!--
        The directory from which gpg will load keyrings.
        If left unspecified, the `JRELEASER_GPG_HOMEDIR`
        environment variable must be defined.
        Defaults to empty.
        When mode = `COMMAND`.
         
      -->
      <homeDir>/home/users/duke/.gnugpg</homeDir>

      <!--
        The "name" of the key to sign with.
        If left unspecified, the `JRELEASER_GPG_KEYNAME`
        environment variable must be defined.
        Defaults to empty.
        When mode = `COMMAND`.
         
      -->
      <keyName>0CB28B71EF50</keyName>

      <!--
        The path to a public keyring to add to the list of keyrings.
        If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
        environment variable must be defined.
        Defaults to empty.
        When mode = `COMMAND`.
         
      -->
      <publicKeyring>my-pubring.gpg</publicKeyring>

      <!--
        Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
        Defaults to `true`.
        When mode = `COMMAND`.
        
      -->
      <defaultKeyring>true</defaultKeyring>

      <!--
        Sets the arguments to be passed to gpg.
        When mode = `COMMAND`.
        
      -->
      <args>
        <arg>--no-random-seed-file</arg>
      </args>
    </command>

    <!--
      Settings used when mode = `COSIGN`.
      
    -->
    <cosign>
      <!--
        Tool version.
        
      -->
      <version>1.4.1</version>

      <!--
        The private cosign key.
        If left unspecified, the `JRELEASER_COSIGN_PRIVATE_KEY`
        environment variable must be defined.
         
      -->
      <privateKeyFile>__DO_NOT_SET_HERE__</privateKeyFile>

      <!--
        The public cosign key.
        If left unspecified, the `JRELEASER_COSIGN_PUBLIC_KEY`
        environment variable must be defined.
         
      -->
      <publicKeyFile>__DO_NOT_SET_HERE__</publicKeyFile>
    </cosign>
  </signing>
</jreleaser>
jreleaser {
  // 
  signing {
    // Enables or disables file signing.
    // Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
    // Defaults to `NEVER`.
    // 
    active = 'ALWAYS'

    // Generates an armored signature.
    // Defaults to `false`.
    // 
    armored = true

    // How should GPG keys be handled.
    // Valid values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
    // Defaults to `MEMORY`.
    // 
    mode = 'MEMORY'

    // The passphrase required to read secret keys.
    // If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
    // environment variable must be defined.
    //  
    passphrase = '__DO_NOT_SET_HERE__'

    // The public GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
    // environment variable must be defined.
    // Required when mode = `MEMORY` || `FILE`.
    //  
    publicKey = '__DO_NOT_SET_HERE__'

    // The private GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
    // environment variable must be defined.
    // Required when mode = `MEMORY` || `FILE`.
    //  
    secretKey = '__DO_NOT_SET_HERE__'

    // Sign files.
    // Defaults to `true`.
    // 
    files = true

    // Sign distribution artifacts.
    // Defaults to `true`.
    // 
    artifacts = true

    // Sign checksum files.
    // Defaults to `true`.
    // 
    checksums = true

    // Settings used when mode = `COMMAND`.
    // 
    command {
      // The executable used for signing.
      // If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
      // environment variable must be defined.
      // Defaults to `gpg[.exe]`.
      // When mode = `COMMAND`.
      //  
      executable = 'gpg'

      // The directory from which gpg will load keyrings.
      // If left unspecified, the `JRELEASER_GPG_HOMEDIR`
      // environment variable must be defined.
      // Defaults to empty.
      // When mode = `COMMAND`.
      //  
      homeDir = '/home/users/duke/.gnugpg'

      // The "name" of the key to sign with.
      // If left unspecified, the `JRELEASER_GPG_KEYNAME`
      // environment variable must be defined.
      // Defaults to empty.
      // When mode = `COMMAND`.
      //  
      keyName = '0CB28B71EF50'

      // The path to a public keyring to add to the list of keyrings.
      // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
      // environment variable must be defined.
      // Defaults to empty.
      // When mode = `COMMAND`.
      //  
      publicKeyring = 'my-pubring.gpg'

      // Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
      // Defaults to `true`.
      // When mode = `COMMAND`.
      // 
      defaultKeyring = true

      // Sets the arguments to be passed to gpg.
      // When mode = `COMMAND`.
      // 
      args = ['--no-random-seed-file']
    }

    // Settings used when mode = `COSIGN`.
    // 
    cosign {
      // Tool version.
      // 
      version = '1.4.1'

      // The private cosign key.
      // If left unspecified, the `JRELEASER_COSIGN_PRIVATE_KEY`
      // environment variable must be defined.
      //  
      privateKeyFile = '__DO_NOT_SET_HERE__'

      // The public cosign key.
      // If left unspecified, the `JRELEASER_COSIGN_PUBLIC_KEY`
      // environment variable must be defined.
      //  
      publicKeyFile = '__DO_NOT_SET_HERE__'
    }
  }
}
Prefer the use of Environment if the configuration is stored at a public repository.
When not explicitly set, the value of active may be resolved from an environment variable JRELEASER_SIGNING_ACTIVE or from a system property jreleaser.signing.active. The system property takes precedence over the environment variable.

Mode

When the mode is set to MEMORY (the default) then the values of JRELEASER_GPG_PUBLIC_KEY and JRELEASER_GPG_SECRET_KEY are treated as the actual contents for each key.

When the mode is set to FILE then the values of JRELEASER_GPG_PUBLIC_KEY and JRELEASER_GPG_SECRET_KEY are treated as file paths pointing to files that the keys.

When the mode is set to COMMAND then JReleaser expects appropriate command settings to be configured, such as the signing executable (gpg by default). Signing and verification will be invoked in non-interactive mode.

Cosign

You may sign artifacts, files, and checksums using Sigstore’s cosign however you can not sign commits nor tags when COSIGN mode is active.

You may use JRELEASER_COSIGN_PASSWORD instead of JRELEASER_GPG_PASSPHRASE to define the password required by cosign.

You must define a value for the version property. JReleaser will check if a matching binary exists in the system or download a binary that matches the current platform. If you do not have existing private/public keys then JReleaser will generate a key pair for you and store them in $JRELEASER_USER_HOME which matches ~/.jreleaser by default.

The public cosing key file will automatically be uploaded as a release asset.

Skip Signing

Distributions and Artifacts may define an extra property that may stop them from being signed. The name of this property must match skipSigning and be set to true. Setting this property on a distribution skips all of its artifacts.