Signing

Signing ensures that the artifacts have been generated by yourself and your users can verify that by comparing the generated signature with your public signing key.

JReleaser can sign all files, including distribution archives and any extra files attached to the project. This section must be configured if you intent to sign commits as well.

Use the following options to customize how files may be signed:

Legend:

  • required

  • optional

  • may use environment variable

  • accepts Name Templates

  • YAML

  • TOML

  • JSON

  • Maven

  • Gradle

# 
signing:
  # Enables or disables file signing.
  # Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
  # Defaults to `NEVER`.
  # 
  active: ALWAYS

  # Generates an armored signature.
  # Defaults to `false`.
  # 
  armored: true

  # How should GPG keys be handled.
  # Valid values are [`MEMORY`, `FILE`, `COMMAND`].
  # Defaults to `MEMORY`.
  # 
  mode: MEMORY

  # The passphrase required to read secret keys.
  # If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
  # environment variable must be defined.
  #  
  passphrase: __DO_NOT_SET_HERE__

  # The public GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
  # environment variable must be defined.
  # Required when mode = `MEMORY` || `File`.
  #  
  publicKey: __DO_NOT_SET_HERE__

  # The private GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
  # environment variable must be defined.
  # Required when mode = `MEMORY` || `File`.
  #  
  secretKey: __DO_NOT_SET_HERE__

  # The executable used for signing.
  # If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
  # environment variable must be defined.
  # Defaults to `gpg[.exe]`.
  # When mode = `COMMAND`.
  #  
  executable: gpg

  # The directory from which gpg will load keyrings.
  # If left unspecified, the `JRELEASER_GPG_HOMEDIR`
  # environment variable must be defined.
  # Defaults to empty.
  # When mode = `COMMAND`.
  #  
  homeDir: /home/users/duke/.gnugpg

  # The "name" of the key to sign with.
  # If left unspecified, the `JRELEASER_GPG_KEYNAME`
  # environment variable must be defined.
  # Defaults to empty.
  # When mode = `COMMAND`.
  #  
  keyName: 0CB28B71EF50

  # The path to a public keyring to add to the list of keyrings.
  # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
  # environment variable must be defined.
  # Defaults to empty.
  # When mode = `COMMAND`.
  #  
  publicKeyring: my-pubring.gpg

  # Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
  # Defaults to `true`.
  # When mode = `COMMAND`.
  # 
  defaultKeyring: true

  # Sets the arguments to be passed to gpg.
  # When mode = `COMMAND`.
  # 
  args:
    - '--no-random-seed-file'

  # Sign files.
  # Defaults to `true`.
  # 
  files: true

  # Sign distribution artifacts.
  # Defaults to `true`.
  # 
  artifacts: true

  # Sign checksum files.
  # Defaults to `true`.
  # 
  checksums: true
# 
[signing]
  # Enables or disables file signing.
  # Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
  # Defaults to `NEVER`.
  # 
  active = "ALWAYS"

  # Generates an armored signature.
  # Defaults to `false`.
  # 
  armored = true

  # How should GPG keys be handled.
  # Valid values are [`MEMORY`, `FILE`, `COMMAND`].
  # Defaults to `MEMORY`.
  # 
  mode = 'MEMORY'

  # The passphrase required to read secret keys.
  # If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
  # environment variable must be defined.
  #  
  passphrase = "__DO_NOT_SET_HERE__"

  # The public GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
  # environment variable must be defined.
  # Required when mode = `MEMORY` || `File`.
  #  
  publicKey = "__DO_NOT_SET_HERE__"

  # The private GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
  # environment variable must be defined.
  # Required when mode = `MEMORY` || `File`.
  #  
  secretKey = "__DO_NOT_SET_HERE__"

  # The executable used for signing.
  # If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
  # environment variable must be defined.
  # Defaults to `gpg[.exe]`.
  # When mode = `COMMAND`.
  #  
  executable = "gpg"

  # The directory from which gpg will load keyrings.
  # If left unspecified, the `JRELEASER_GPG_HOMEDIR`
  # environment variable must be defined.
  # Defaults to empty.
  # When mode = `COMMAND`.
  #  
  homeDir = "/home/users/duke/.gnugpg"

  # The "name" of the key to sign with.
  # If left unspecified, the `JRELEASER_GPG_KEYNAME`
  # environment variable must be defined.
  # Defaults to empty.
  # When mode = `COMMAND`.
  #  
  keyName = "0CB28B71EF50"

  # The path to a public keyring to add to the list of keyrings.
  # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
  # environment variable must be defined.
  # Defaults to empty.
  # When mode = `COMMAND`.
  #  
  publicKeyring = "my-pubring.gpg"

  # Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
  # Defaults to `true`.
  # When mode = `COMMAND`.
  # 
  defaultKeyring = "true"

  # Sets the arguments to be passed to gpg.
  # When mode = `COMMAND`.
  # 
  args = ["--no-random-seed-file"]

  # Sign files.
  # Defaults to `true`.
  # 
  files = true

  # Sign distribution artifacts.
  # Defaults to `true`.
  # 
  artifacts = true

  # Sign checksum files.
  # Defaults to `true`.
  # 
  checksums = true
{
  // 
  "signing": {
    // Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
    // Defaults to `NEVER`.
    // 
    "active": "ALWAYS",

    // Generates an armored signature.
    // Defaults to `false`.
    // 
    "armored": true,

    // How should GPG keys be handled.
    // Valid values are [`MEMORY`, `FILE`, `COMMAND`].
    // Defaults to `MEMORY`.
    // 
    "mode": "MEMORY",

    // The passphrase required to read secret keys.
    // If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
    // environment variable must be defined.
    //  
    "passphrase": "__DO_NOT_SET_HERE__",

    // The public GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
    // environment variable must be defined.
    // Required when mode = `MEMORY` || `File`.
    //  
    "publicKey": "__DO_NOT_SET_HERE__",

    // The private GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
    // environment variable must be defined.
    // Required when mode = `MEMORY` || `File`.
    //  
    "secretKey": "__DO_NOT_SET_HERE__",

    // The executable used for signing.
    // If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
    // environment variable must be defined.
    // Defaults to `gpg[.exe]`.
    // When mode = `COMMAND`.
    //  
    "executable": "gpg",

    // The directory from which gpg will load keyrings.
    // If left unspecified, the `JRELEASER_GPG_HOMEDIR`
    // environment variable must be defined.
    // Defaults to empty.
    // When mode = `COMMAND`.
    //  
    "homeDir": "/home/users/duke/.gnugpg",

    // The "name" of the key to sign with.
    // If left unspecified, the `JRELEASER_GPG_KEYNAME`
    // environment variable must be defined.
    // Defaults to empty.
    // When mode = `COMMAND`.
    //  
    "keyName": "0CB28B71EF50",

    // The path to a public keyring to add to the list of keyrings.
    // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
    // environment variable must be defined.
    // Defaults to empty.
    // When mode = `COMMAND`.
    //  
    "publicKeyring": "my-pubring.gpg",

    // Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
    // Defaults to `true`.
    // When mode = `COMMAND`.
    // 
    "defaultKeyring": true,

    // Sets the arguments to be passed to gpg.
    // When mode = `COMMAND`.
    // 
    "args": [
      "--no-random-seed-file"
    ],

     // Sign files.
    // Defaults to `true`.
    // 
    "files": true,

    // Sign distribution artifacts.
    // Defaults to `true`.
    // 
    "artifacts": true,

    // Sign checksum files.
    // Defaults to `true`.
    // 
    "checksums": true
  }
}
<jreleaser>
  <!--
    
  -->
  <signing>

    <!--
      Enables or disables file signing.
      Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
      Defaults to `NEVER`.
      
    -->
    <active>ALWAYS</active>

    <!--
      Generates an armored signature.
      Defaults to `false`.
      
    -->
    <armored>true</armored>

    <!--
      How should GPG keys be handled.
      Valid values are [`MEMORY`, `FILE`, `COMMAND`].
      Defaults to `MEMORY`.
      
    -->
    <mode>MEMORY</mode>

    <!--
      The passphrase required to read secret keys.
      If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
      environment variable must be defined.
      Required when mode = `MEMORY` || `File`.
       
    -->
    <passphrase>__DO_NOT_SET_HERE__</passphrase>

    <!--
      The public GPG (ascii armored) used to sign files and commits.
      If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
      environment variable must be defined.
      Required when mode = `MEMORY` || `File`.
       
    -->
    <publicKey>__DO_NOT_SET_HERE__</publicKey>

    <!--
      The private GPG (ascii armored) used to sign files and commits.
      If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
      environment variable must be defined.
       
    -->
    <secretKey>__DO_NOT_SET_HERE__</secretKey>

    <!--
      The executable used for signing.
      If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
      environment variable must be defined.
      Defaults to `gpg[.exe]`.
      When mode = `COMMAND`.
       
    -->
    <executable>gpg</executable>

    <!--
      The directory from which gpg will load keyrings.
      If left unspecified, the `JRELEASER_GPG_HOMEDIR`
      environment variable must be defined.
      Defaults to empty.
      When mode = `COMMAND`.
       
    -->
    <homeDir>/home/users/duke/.gnugpg</homeDir>

    <!--
      The "name" of the key to sign with.
      If left unspecified, the `JRELEASER_GPG_KEYNAME`
      environment variable must be defined.
      Defaults to empty.
      When mode = `COMMAND`.
       
    -->
    <keyName>0CB28B71EF50</keyName>

    <!--
      The path to a public keyring to add to the list of keyrings.
      If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
      environment variable must be defined.
      Defaults to empty.
      When mode = `COMMAND`.
       
    -->
    <publicKeyring>my-pubring.gpg</publicKeyring>

    <!--
      Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
      Defaults to `true`.
      When mode = `COMMAND`.
      
    -->
    <defaultKeyring>true</defaultKeyring>

    <!--
      Sets the arguments to be passed to gpg.
      When mode = `COMMAND`.
      
    -->
    <args>
      <arg>--no-random-seed-file</arg>
    </args>

    <!--
      Sign files.
      Defaults to `true`.
      
    -->
    <files>true</files>

    <!--
      Sign distribution artifacts.
      Defaults to `true`.
      
    -->
    <artifacts>true</artifacts>

    <!--
      Sign checksum files.
      Defaults to `true`.
      
    -->
    <checksums>true</checksums>
  </signing>
</jreleaser>
jreleaser {
  // 
  signing {
    // Enables or disables file signing.
    // Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
    // Defaults to `NEVER`.
    // 
    active = "ALWAYS"

    // Generates an armored signature.
    // Defaults to `false`.
    // 
    armored = true

    // How should GPG keys be handled.
    // Valid values are [`MEMORY`, `FILE`, `COMMAND`].
    // Defaults to `MEMORY`.
    // 
    mode = 'MEMORY'

    // The passphrase required to read secret keys.
    // If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
    // environment variable must be defined.
    //  
    passphrase = '__DO_NOT_SET_HERE__'

    // The public GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
    // environment variable must be defined.
    // Required when mode = `MEMORY` || `File`.
    //  
    publicKey = '__DO_NOT_SET_HERE__'

    // The private GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
    // environment variable must be defined.
    // Required when mode = `MEMORY` || `File`.
    //  
    secretKey = '__DO_NOT_SET_HERE__'

    // The executable used for signing.
    // If left unspecified, the `JRELEASER_GPG_EXECUTABLE`
    // environment variable must be defined.
    // Defaults to `gpg[.exe]`.
    // When mode = `COMMAND`.
    //  
    executable = 'gpg'

    // The directory from which gpg will load keyrings.
    // If left unspecified, the `JRELEASER_GPG_HOMEDIR`
    // environment variable must be defined.
    // Defaults to empty.
    // When mode = `COMMAND`.
    //  
    homeDir = '/home/users/duke/.gnugpg'

    // The "name" of the key to sign with.
    // If left unspecified, the `JRELEASER_GPG_KEYNAME`
    // environment variable must be defined.
    // Defaults to empty.
    // When mode = `COMMAND`.
    //  
    keyName = '0CB28B71EF50'

    // The path to a public keyring to add to the list of keyrings.
    // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEYRING`
    // environment variable must be defined.
    // Defaults to empty.
    // When mode = `COMMAND`.
    //  
    publicKeyring = 'my-pubring.gpg'

    // Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
    // Defaults to `true`.
    // When mode = `COMMAND`.
    // 
    defaultKeyring = true

    // Sets the arguments to be passed to gpg.
    // When mode = `COMMAND`.
    // 
    args = ['--no-random-seed-file']

    // Sign files.
    // Defaults to `true`.
    // 
    files = true

    // Sign distribution artifacts.
    // Defaults to `true`.
    // 
    artifacts = true

    // Sign checksum files.
    // Defaults to `true`.
    // 
    checksums = true
  }
}
Prefer the use of Environment if the configuration is stored at a public repository.

Mode

When the mode is set to MEMORY (the default) then the values of JRELEASER_GPG_PUBLIC_KEY and JRELEASER_GPG_SECRET_KEY are treated as the actual contents for each key.

When the mode is set to FILE then the values of JRELEASER_GPG_PUBLIC_KEY and JRELEASER_GPG_SECRET_KEY are treated as file paths pointing to files that the keys.

When the mode is set to COMMAND then JReleaser expects appropriate command settings to be configured, such as the signing executable (gpg by default). Signing and verification will be invoked in non-interactive mode.

Skip Signing

Distributions and Artifacts may define an extra property that may stop them from being signed. The name of this property must match skipSigning and be set to true. Setting this property on a distribution skips all of its artifacts.