|
| 1 | +# Release Documentation |
| 2 | + |
| 3 | +Here we describe all the ceremonial stuff necessary to publish a Java library to Maven Central. |
| 4 | + |
| 5 | +## GPG Guide for Maven Release Signing |
| 6 | + |
| 7 | +This guide is based on [Working with PGP Signatures](https://central.sonatype.org/publish/requirements/gpg/) and [OpenPGP Best Practices](https://riseup.net/ru/security/message-security/openpgp/gpg-best-practices). |
| 8 | + |
| 9 | +### About our key |
| 10 | + |
| 11 | +Real name: `the secureCodeBox authors` |
| 12 | +Email: `securecodebox@iteratec.com` |
| 13 | +Comment: `Maven Release Signing Key` |
| 14 | +Fingerprint: `40AA7D29EB6DE0667D7E723ADE4725604A739BAF` |
| 15 | +Password: [see our password manager] |
| 16 | + |
| 17 | +### Create a new key |
| 18 | + |
| 19 | +We create a new GPG key with: |
| 20 | + |
| 21 | +```shell |
| 22 | +gpg --full-generate-key |
| 23 | +``` |
| 24 | + |
| 25 | +### Import the private key |
| 26 | + |
| 27 | +Download private key from 1Password and import it locally |
| 28 | + |
| 29 | +```shell |
| 30 | +gpg --import private.key |
| 31 | +``` |
| 32 | + |
| 33 | +### Export the Private Key |
| 34 | + |
| 35 | +#### For GitHub Actions |
| 36 | + |
| 37 | +```shell |
| 38 | +gpg --armor --export-secret-keys 40AA7D29EB6DE0667D7E723ADE4725604A739BAF |
| 39 | +``` |
| 40 | + |
| 41 | +#### For 1Password |
| 42 | + |
| 43 | +```shell |
| 44 | +gpg -o private.key --export-secret-key 40AA7D29EB6DE0667D7E723ADE4725604A739BAF |
| 45 | +``` |
| 46 | + |
| 47 | +### Expiration |
| 48 | + |
| 49 | +It is recommended to use an expiration date less than two years. We use an interval of **two years**. This means that we need to extend the expiration date every two years! |
| 50 | + |
| 51 | +#### How to extend the expiration date? |
| 52 | + |
| 53 | +1. Download the private key file `private.key` from 1Password |
| 54 | +2. Import it locally: `gpg --import private.key` |
| 55 | +3. Select the key : `gpg --edit-key 40AA7D29EB6DE0667D7E723ADE4725604A739BAF` |
| 56 | +4. Now select the subkey and set the expire date (use `2y` for two years): |
| 57 | +```shell |
| 58 | +gpg> key 1 |
| 59 | +gpg> expire |
| 60 | +``` |
| 61 | +5. Save it: |
| 62 | +```shell |
| 63 | +gpg> save |
| 64 | +``` |
| 65 | +6. Update the private key in out password manager and GitHub Secrets |
| 66 | + |
| 67 | +## TODOs |
| 68 | + |
| 69 | +- How to remember the expirationd date over time & with changing developers? |
| 70 | +- Do we need to import the public key in sonatype? |
0 commit comments