Maven Central repository requirements is signing all deployed artifacts with
In order to meet this requirement we need setup our environment with proper
On local system we can do it once.
The task is more complicated on modern
CI/CD system working in cloud/container
where each build is done on fresh environment.
In this case we need to setup
PGP/GPG infrastructure before each build,
so our build script becomes more complicated.
The most of
CI/CD systems allow us to set environment variables which can be pass to our builds.
Instead of using
maven-gpg-plugin which require install and configure binary of
we can use
sign-maven-plugin and environment variables.
Please look at our tutorial
Maven project we need only:
<plugins> <plugin> <groupId>org.simplify4u.plugins</groupId> <artifactId>sign-maven-plugin</artifactId> <version><!-- check releases page --></version> <executions> <execution> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin> </plugins>
We need not any special maven profiles because by default
sign-maven-plugin skip execution if key not found
We need not any special application, software -
sign-maven-plugin use internally
Bouncy Castle to generate signature.
Next we configure environment variable on
GPG/PGPkey - this is required
SIGN_KEYwill be used
Documentation of can be found on site https://www.simplify4u.org/sign-maven-plugin/plugin-info.html