Signing

Signing ensures that the artifacts have been generated by yourself and your users can verify that by comparing the generated signature with your public signing key.

JReleaser can sign all files, including distribution archives and any extra files attached to the project. This section must be configured if you intent to sign commits as well.

Use the following options to customize how files may be signed:

Legend:

  • required

  • optional

  • may use environment variable

  • accepts Name Templates

  • YAML

  • TOML

  • JSON

  • Maven

  • Gradle

# 
signing:
  # Enables or disables file signing.
  # Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
  # Defaults to `NEVER`.
  # 
  active: ALWAYS

  # Generates an armored signature.
  # Defaults to `true`.
  # 
  armored: true

  # How should GPG keys be handled.
  # Valid values are [`MEMORY`, `FILE`].
  # Defaults to `MEMORY`.
  # 
  mode: MEMORY

  # The public GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
  # environment variable must be defined.
  #  
  publicKey: __DO_NOT_SET_HERE__

  # The private GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
  # environment variable must be defined.
  #  
  secretKey: __DO_NOT_SET_HERE__

  # The passphrase required to read secret keys.
  # If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
  # environment variable must be defined.
  #  
  passphrase: __DO_NOT_SET_HERE__
# 
[signing]
  # Enables or disables file signing.
  # Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
  # Defaults to `NEVER`.
  # 
  active = "ALWAYS"

  # Generates an armored signature.
  # Defaults to `true`.
  # 
  armored = true

  # How should GPG keys be handled.
  # Valid values are [`MEMORY`, `FILE`].
  # Defaults to `MEMORY`.
  # 
  mode = 'MEMORY'

  # The public GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
  # environment variable must be defined.
  #  
  publicKey = "__DO_NOT_SET_HERE__"

  # The private GPG (ascii armored) used to sign files and commits.
  # If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
  # environment variable must be defined.
  #  
  secretKey = "__DO_NOT_SET_HERE__"

  # The passphrase required to read secret keys.
  # If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
  # environment variable must be defined.
  #  
  passphrase = "__DO_NOT_SET_HERE__"
{
  // 
  "signing": {
    // Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
    // Defaults to `NEVER`.
    // 
    "active": "ALWAYS",

    // Generates an armored signature.
    // Defaults to `true`.
    // 
    "armored": true,

    // How should GPG keys be handled.
    // Valid values are [`MEMORY`, `FILE`].
    // Defaults to `MEMORY`.
    // 
    "mode": "MEMORY",

    // The public GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
    // environment variable must be defined.
    //  
    "publicKey": "__DO_NOT_SET_HERE__",

    // The private GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
    // environment variable must be defined.
    //  
    "secretKey": "__DO_NOT_SET_HERE__",

    // The passphrase required to read secret keys.
    // If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
    // environment variable must be defined.
    //  
    "passphrase": "__DO_NOT_SET_HERE__"
  }
}
<jreleaser>
  <!--
    
  -->
  <signing>

    <!--
      Enables or disables file signing.
      Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
      Defaults to `NEVER`.
      
    -->
    <active>ALWAYS</active>

    <!--
      Generates an armored signature.
      Defaults to `true`.
      
    -->
    <armored>true</armored>

    <!--
      How should GPG keys be handled.
      Valid values are [`MEMORY`, `FILE`].
      Defaults to `MEMORY`.
      
    -->
    <mode>MEMORY</mode>

    <!--
      The public GPG (ascii armored) used to sign files and commits.
      If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
      environment variable must be defined.
       
    -->
    <publicKey>__DO_NOT_SET_HERE__</publicKey>

    <!--
      The private GPG (ascii armored) used to sign files and commits.
      If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
      environment variable must be defined.
       
    -->
    <secretKey>__DO_NOT_SET_HERE__</secretKey>

    <!--
      The passphrase required to read secret keys.
      If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
      environment variable must be defined.
       
    -->
    <passphrase>__DO_NOT_SET_HERE__</passphrase>
  </signing>
</jreleaser>
jreleaser {
  // 
  signing {
    // Enables or disables file signing.
    // Valid values are [`NEVER`, `ALWAYS`, `RELEASE`, `SNAPSHOT`].
    // Defaults to `NEVER`.
    // 
    active = "ALWAYS"

    // Generates an armored signature.
    // Defaults to `true`.
    // 
    armored = true

    // How should GPG keys be handled.
    // Valid values are [`MEMORY`, `FILE`].
    // Defaults to `MEMORY`.
    // 
    mode = 'MEMORY'

    // The public GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_PUBLIC_KEY`
    // environment variable must be defined.
    //  
    publicKey = '__DO_NOT_SET_HERE__'

    // The private GPG (ascii armored) used to sign files and commits.
    // If left unspecified, the `JRELEASER_GPG_SECRET_KEY`
    // environment variable must be defined.
    //  
    secretKey = '__DO_NOT_SET_HERE__'

    // The passphrase required to read secret keys.
    // If left unspecified, the `JRELEASER_GPG_PASSPHRASE`
    // environment variable must be defined.
    //  
    passphrase = '__DO_NOT_SET_HERE__'
  }
}
Prefer the use of Environment if the configuration is stored at a public repository.

Mode

When the mode is set to MEMORY (the default) then the values of JRELEASER_GPG_PUBLIC_KEY and JRELEASER_GPG_SECRET_KEY are treated as the actual contents for each key.

When the mode is set to FILE then the values of JRELEASER_GPG_PUBLIC_KEY and JRELEASER_GPG_SECRET_KEY are treated as file paths pointing to files that the keys.