Skip to content

Latest commit

 

History

History
105 lines (73 loc) · 3.3 KB

release.md

File metadata and controls

105 lines (73 loc) · 3.3 KB

Release Documentation

Here we describe all the ceremonial stuff necessary to publish a Java library to Maven Central.

Credentials

Publishing to Maven Central requires authentication in the form of username and password or user token (as username and password). We use user tokens for authentication, which are stored in our password manager.

Local (on device)

The MAVEN_USERNAME and MAVEN_PASSWORD environment variable needs to be set on the device.

GitHub Actions

In the GitHub Secrets, we need to add two secrets called MAVEN_USERNAME and MAVEN_PASSWORD. They can be accessed in a yaml file with ${{ secrets.MAVEN_USERNAME }} and ${{ secrets.MAVEN_PASSWORD }}. We pass both these secrets in the env block.

For example:

- name: Publish to Maven Central
  run: ./gradlew publish
  env:
    MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
    MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}

GPG Guide for Maven Signing

This guide is based on Working with PGP Signatures and OpenPGP Best Practices.

About our key

Real name: the secureCodeBox authors Email: securecodebox@iteratec.com Comment: Maven Release Signing Key Fingerprint: 40AA7D29EB6DE0667D7E723ADE4725604A739BAF Password: [see our password manager]

Create a new key

We create a new GPG key with:

gpg --full-generate-key

Import the private key

Download private key from password manager and import it locally:

gpg --import private.key

Export the Private Key

For GitHub Actions

gpg --armor --export-secret-keys $KEYID

In the GitHub Secrets, add the output of this command to the SIGNING_KEY secret. Additionally, you must add the corresponding password as SIGNING_PASSWORD. Both can be accessed in a YAML file with ${{ secrets.SIGNING_KEY }} and ${{ secrets.SIGNING_PASSWORD }}. We pass both these secrets in the env block.

For example:

- name: Publish to Maven Central
  run: ./gradlew publish
  env:
    SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
    SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}

For Password Manager

gpg -o private.key --export-secret-key $KEYID

Expiration

It is recommended to use an expiration date less than two years. We use an interval of two years. This means that we need to extend the expiration date every two years! We use an appointment of the secureCodeBox team calendar to remind us.

How to extend the expiration date?

  1. Download the private key file private.key from password manager
  2. Import it locally: gpg --import private.key
  3. Select the key : gpg --edit-key $KEYID
  4. Now select the subkey and set the expiry date (use 2y for two years):
gpg> key 1
gpg> expire
  1. Save it:
gpg>  save
  1. Update the private key in out password manager and GitHub Secrets