Signing
Signing ensures that the artifacts have been generated by yourself and your users can verify that by comparing the generated signature with your public signing key.
JReleaser can sign all files, including distribution archives and any extra files attached to the project. This section must be configured if you intend to sign commits as well. You may sign using PGP or Sigstore's cosign.
Use the following options to customize how files may be signed:
Configuration
Legend:
-
required
-
optional
-
may use environment variable
-
accepts Name Templates
#
signing:
# Enables or disables file signing.
# Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
# Defaults to `NEVER`.
#
active: ALWAYS
# Generates an armored signature.
# Defaults to `false`.
#
armored: true
# Verify signature files.
# If `false` then `publicKey` may be ommitted.
# Defaults to `true`.
#
verify: false
# How should GPG keys be handled.
# Supported values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
# Defaults to `MEMORY`.
#
mode: MEMORY
# The passphrase required to read secret keys.
#
passphrase: __USE_ENVIRONMENT_VARIABLE__
# The public GPG (ascii armored) used to sign files and commits.
# Required when mode = `MEMORY` || `FILE`.
#
publicKey: __USE_ENVIRONMENT_VARIABLE__
# The private GPG (ascii armored) used to sign files and commits.
# Required when mode = `MEMORY` || `FILE`.
#
secretKey: __USE_ENVIRONMENT_VARIABLE__
# Sign files.
# Defaults to `true`.
#
files: true
# Sign distribution artifacts.
# Defaults to `true`.
#
artifacts: true
# Sign checksum files.
# Defaults to `true`.
#
checksums: true
# Settings used when mode = `COMMAND`.
#
command:
# The executable used for signing.
# Defaults to `gpg[.exe]`.
# When mode = `COMMAND`.
#
executable: gpg
# The directory from which gpg will load keyrings.
# Defaults to empty.
# When mode = `COMMAND`.
#
homeDir: /home/users/duke/.gnugpg
# The "name" of the key to sign with.
# Defaults to empty.
# When mode = `COMMAND`.
#
keyName: 0CB28B71EF50
# The path to a public keyring to add to the list of keyrings.
# Defaults to empty.
# When mode = `COMMAND`.
#
publicKeyring: my-pubring.gpg
# Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
# Defaults to `true`.
# When mode = `COMMAND`.
#
defaultKeyring: true
# Sets the arguments to be passed to gpg.
# When mode = `COMMAND`.
#
args:
- '--no-random-seed-file'
# Settings used when mode = `COSIGN`.
#
cosign:
# Tool version.
#
version: 1.4.1
# The private cosign key.
#
privateKeyFile: __USE_ENVIRONMENT_VARIABLE__
# The public cosign key.
#
publicKeyFile: __USE_ENVIRONMENT_VARIABLE__#
[signing]
# Enables or disables file signing.
# Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
# Defaults to `NEVER`.
#
active = "ALWAYS"
# Generates an armored signature.
# Defaults to `false`.
#
armored = true
# Verify signature files.
# If `false` then `publicKey` may be ommitted.
# Defaults to `true`.
#
verify = false
# How should GPG keys be handled.
# Supported values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
# Defaults to `MEMORY`.
#
mode = 'MEMORY'
# The passphrase required to read secret keys.
#
passphrase = "__USE_ENVIRONMENT_VARIABLE__"
# The public GPG (ascii armored) used to sign files and commits.
# Required when mode = `MEMORY` || `FILE`.
#
publicKey = "__USE_ENVIRONMENT_VARIABLE__"
# The private GPG (ascii armored) used to sign files and commits.
# Required when mode = `MEMORY` || `FILE`.
#
secretKey = "__USE_ENVIRONMENT_VARIABLE__"
# Sign files.
# Defaults to `true`.
#
files = true
# Sign distribution artifacts.
# Defaults to `true`.
#
artifacts = true
# Sign checksum files.
# Defaults to `true`.
#
checksums = true
# Settings used when mode = `COMMAND`.
#
# The executable used for signing.
# Defaults to `gpg[.exe]`.
# When mode = `COMMAND`.
#
command.executable = "gpg"
# The directory from which gpg will load keyrings.
# Defaults to empty.
# When mode = `COMMAND`.
#
command.homeDir = "/home/users/duke/.gnugpg"
# The "name" of the key to sign with.
# Defaults to empty.
# When mode = `COMMAND`.
#
command.keyName = "0CB28B71EF50"
# The path to a public keyring to add to the list of keyrings.
# Defaults to empty.
# When mode = `COMMAND`.
#
command.publicKeyring = "my-pubring.gpg"
# Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
# Defaults to `true`.
# When mode = `COMMAND`.
#
command.defaultKeyring = "true"
# Sets the arguments to be passed to gpg.
# When mode = `COMMAND`.
#
command.args = ["--no-random-seed-file"]
# Settings used when mode = `COSIGN`.
#
# Tool version.
#
cosign.version = "1.4.1"
# The private cosign key.
#
cosign.privateKeyFile = "__USE_ENVIRONMENT_VARIABLE__"
# The public cosign key.
#
cosign.publicKeyFile = "__USE_ENVIRONMENT_VARIABLE__"{
//
"signing": {
// Enables or disables file signing.
// Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
// Defaults to `NEVER`.
//
"active": "ALWAYS",
// Generates an armored signature.
// Defaults to `false`.
//
"armored": true,
// Verify signature files.
// If `false` then `publicKey` may be ommitted.
// Defaults to `true`.
//
"verify": false,
// How should GPG keys be handled.
// Supported values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
// Defaults to `MEMORY`.
//
"mode": "MEMORY",
// The passphrase required to read secret keys.
//
"passphrase": "__USE_ENVIRONMENT_VARIABLE__",
// The public GPG (ascii armored) used to sign files and commits.
// Required when mode = `MEMORY` || `FILE`.
//
"publicKey": "__USE_ENVIRONMENT_VARIABLE__",
// The private GPG (ascii armored) used to sign files and commits.
// Required when mode = `MEMORY` || `FILE`.
//
"secretKey": "__USE_ENVIRONMENT_VARIABLE__",
// Sign files.
// Defaults to `true`.
//
"files": true,
// Sign distribution artifacts.
// Defaults to `true`.
//
"artifacts": true,
// Sign checksum files.
// Defaults to `true`.
//
"checksums": true,
// Settings used when mode = `COMMAND`.
//
"command": {
// The executable used for signing.
// Defaults to `gpg[.exe]`.
// When mode = `COMMAND`.
//
"executable": "gpg",
// The directory from which gpg will load keyrings.
// Defaults to empty.
// When mode = `COMMAND`.
//
"homeDir": "/home/users/duke/.gnugpg",
// The "name" of the key to sign with.
// Defaults to empty.
// When mode = `COMMAND`.
//
"keyName": "0CB28B71EF50",
// The path to a public keyring to add to the list of keyrings.
// Defaults to empty.
// When mode = `COMMAND`.
//
"publicKeyring": "my-pubring.gpg",
// Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
// Defaults to `true`.
// When mode = `COMMAND`.
//
"defaultKeyring": true,
// Sets the arguments to be passed to gpg.
// When mode = `COMMAND`.
//
"args": [
"--no-random-seed-file"
]
},
// Settings used when mode = `COSIGN`.
//
"cosign": {
// Tool version.
//
"version": "1.4.1",
// The private cosign key.
//
"privateKeyFile": "__USE_ENVIRONMENT_VARIABLE__",
// The public cosign key.
//
"publicKeyFile": "__USE_ENVIRONMENT_VARIABLE__"
}
}
}<jreleaser>
<!--
-->
<signing>
<!--
Enables or disables file signing.
Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
Defaults to `NEVER`.
-->
<active>ALWAYS</active>
<!--
Generates an armored signature.
Defaults to `false`.
-->
<armored>true</armored>
<!--
Verify signature files.
If `false` then `publicKey` may be ommitted.
Defaults to `true`.
-->
<verify>false</verify>
<!--
How should GPG keys be handled.
Supported values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
Defaults to `MEMORY`.
-->
<mode>MEMORY</mode>
<!--
The passphrase required to read secret keys.
Required when mode = `MEMORY` || `FILE`.
-->
<passphrase>__USE_ENVIRONMENT_VARIABLE__</passphrase>
<!--
The public GPG (ascii armored) used to sign files and commits.
Required when mode = `MEMORY` || `FILE`.
-->
<publicKey>__USE_ENVIRONMENT_VARIABLE__</publicKey>
<!--
The private GPG (ascii armored) used to sign files and commits.
-->
<secretKey>__USE_ENVIRONMENT_VARIABLE__</secretKey>
<!--
Sign files.
Defaults to `true`.
-->
<files>true</files>
<!--
Sign distribution artifacts.
Defaults to `true`.
-->
<artifacts>true</artifacts>
<!--
Sign checksum files.
Defaults to `true`.
-->
<checksums>true</checksums>
<!--
Settings used when mode = `COMMAND`.
-->
<command>
<!--
The executable used for signing.
Defaults to `gpg[.exe]`.
When mode = `COMMAND`.
-->
<executable>gpg</executable>
<!--
The directory from which gpg will load keyrings.
Defaults to empty.
When mode = `COMMAND`.
-->
<homeDir>/home/users/duke/.gnugpg</homeDir>
<!--
The "name" of the key to sign with.
Defaults to empty.
When mode = `COMMAND`.
-->
<keyName>0CB28B71EF50</keyName>
<!--
The path to a public keyring to add to the list of keyrings.
Defaults to empty.
When mode = `COMMAND`.
-->
<publicKeyring>my-pubring.gpg</publicKeyring>
<!--
Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
Defaults to `true`.
When mode = `COMMAND`.
-->
<defaultKeyring>true</defaultKeyring>
<!--
Sets the arguments to be passed to gpg.
When mode = `COMMAND`.
-->
<args>
<arg>--no-random-seed-file</arg>
</args>
</command>
<!--
Settings used when mode = `COSIGN`.
-->
<cosign>
<!--
Tool version.
-->
<version>1.4.1</version>
<!--
The private cosign key.
-->
<privateKeyFile>__USE_ENVIRONMENT_VARIABLE__</privateKeyFile>
<!--
The public cosign key.
-->
<publicKeyFile>__USE_ENVIRONMENT_VARIABLE__</publicKeyFile>
</cosign>
</signing>
</jreleaser>jreleaser {
//
signing {
// Enables or disables file signing.
// Supported values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
// Defaults to `NEVER`.
//
active = 'ALWAYS'
// Generates an armored signature.
// Defaults to `false`.
//
armored = true
// Verify signature files.
// If `false` then `publicKey` may be ommitted.
// Defaults to `true`.
//
verify = false
// How should GPG keys be handled.
// Supported values are [`MEMORY`, `FILE`, `COMMAND`, `COSIGN`].
// Defaults to `MEMORY`.
//
mode = 'MEMORY'
// The passphrase required to read secret keys.
//
passphrase = '__USE_ENVIRONMENT_VARIABLE__'
// The public GPG (ascii armored) used to sign files and commits.
// Required when mode = `MEMORY` || `FILE`.
//
publicKey = '__USE_ENVIRONMENT_VARIABLE__'
// The private GPG (ascii armored) used to sign files and commits.
// Required when mode = `MEMORY` || `FILE`.
//
secretKey = '__USE_ENVIRONMENT_VARIABLE__'
// Sign files.
// Defaults to `true`.
//
files = true
// Sign distribution artifacts.
// Defaults to `true`.
//
artifacts = true
// Sign checksum files.
// Defaults to `true`.
//
checksums = true
// Settings used when mode = `COMMAND`.
//
command {
// The executable used for signing.
// Defaults to `gpg[.exe]`.
// When mode = `COMMAND`.
//
executable = 'gpg'
// The directory from which gpg will load keyrings.
// Defaults to empty.
// When mode = `COMMAND`.
//
homeDir = '/home/users/duke/.gnugpg'
// The "name" of the key to sign with.
// Defaults to empty.
// When mode = `COMMAND`.
//
keyName = '0CB28B71EF50'
// The path to a public keyring to add to the list of keyrings.
// Defaults to empty.
// When mode = `COMMAND`.
//
publicKeyring = 'my-pubring.gpg'
// Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
// Defaults to `true`.
// When mode = `COMMAND`.
//
defaultKeyring = true
// Sets the arguments to be passed to gpg.
// When mode = `COMMAND`.
//
args = ['--no-random-seed-file']
}
// Settings used when mode = `COSIGN`.
//
cosign {
// Tool version.
//
version = '1.4.1'
// The private cosign key.
//
privateKeyFile = '__USE_ENVIRONMENT_VARIABLE__'
// The public cosign key.
//
publicKeyFile = '__USE_ENVIRONMENT_VARIABLE__'
}
}
}| Prefer the use of Environment if the configuration is stored at a public repository. |
Environment
When not explicitly set, the value of the following properties may be resolved from an environment variable or a system property as shown in the table. The system property takes precedence over the environment variable.
| System Property | Environment Variable |
|---|---|
active |
|
jreleaser.signing.active |
JRELEASER_SIGNING_ACTIVE |
passphrase |
|
jreleaser.cosign.password |
JRELEASER_COSIGN_PASSWORD |
publicKey |
|
jreleaser.gpg.public.key |
JRELEASER_GPG_PUBLIC_KEY |
secretKey |
|
jreleaser.gpg.secret.key |
JRELEASER_GPG_SECRET_KEY |
command.executable |
|
jreleaser.gpg.executable |
JRELEASER_GPG_EXECUTABLE |
command.homeDir |
|
jreleaser.gpg.homedir |
JRELEASER_GPG_HOMEDIR |
command.keyName |
|
jreleaser.gpg.keyname |
JRELEASER_GPG_KEYNAME |
command.publicKeyring |
|
jreleaser.gpg.public.keyring |
JRELEASER_GPG_PUBLIC_KEYRING |
cosign.publicKeyFile |
|
jreleaser.cosign.public.key |
JRELEASER_COSIGN_PUBLIC_KEY |
cosign.privateKeyFile |
|
jreleaser.cosign.private.key |
JRELEASER_COSIGN_PRIVATE_KEY |
Mode
When the mode is set to MEMORY (the default) then the values of JRELEASER_GPG_PUBLIC_KEY and
JRELEASER_GPG_SECRET_KEY are treated as the actual contents for each key.
When the mode is set to FILE then the values of JRELEASER_GPG_PUBLIC_KEY and
JRELEASER_GPG_SECRET_KEY are treated as file paths pointing to files that the keys.
When the mode is set to COMMAND then JReleaser expects appropriate command settings to be configured, such as the
signing executable (gpg by default). Signing and verification will be invoked in non-interactive mode.
Cosign
You may sign artifacts, files, and checksums using Sigstore’s cosign however
you can not sign commits nor tags when COSIGN mode is active.
You may use JRELEASER_COSIGN_PASSWORD instead of JRELEASER_GPG_PASSPHRASE to define the password required by cosign.
You must define a value for the version property. JReleaser will check if a matching binary exists in the system or
download a binary that matches the current platform. If you do not have existing private/public keys then JReleaser
will generate a key pair for you and store them in $JRELEASER_USER_HOME which matches ~/.jreleaser by default.
The public cosing key file will automatically be uploaded as a release asset.