One of Maven Central repository requirements is signing all deployed artifacts with PGP/GPG.

In order to meet this requirement we need setup our environment with proper PGP/GPG keys.

On local system we can do it once.

The task is more complicated on modern CI/CD system working in cloud/container where each build is done on fresh environment.

In this case we need to setup PGP/GPG infrastructure before each build, so our build script becomes more complicated.

The most of CI/CD systems allow us to set environment variables which can be pass to our builds.

Instead of using maven-gpg-plugin which require install and configure binary of gpg we can use sign-maven-plugin and environment variables.

Key prepare

Please look at our tutorial

Maven configuration

In Maven project we need only:

        <version><!-- check releases page --></version>

We need not any special maven profiles because by default sign-maven-plugin skip execution if key not found

We need not any special application, software - sign-maven-plugin use internally Bouncy Castle to generate signature.

CI/CD configuration

Next we configure environment variable on CI/CD system:

armored GPG/PGP key - this is required
key id in hex format - optional, first key from SIGN_KEY will be used
passphrase to decrypt private signing key - optional if key is not encrypted

Plugin Documentation

Documentation of can be found on site

Tags: maven central pgp openpgp signature sign