Skip to content

Gradle, Travis CI, and OSSRH

Jump to bottom
Eric Wu edited this page Feb 6, 2017 · 1 revision

Signing

Artifacts must be signed in order to be uploaded to the central repository. Signing is done in 3 steps.

  1. Create a PGP key pair.
  2. Publish the the public key.
  3. Set up the signing plugin of Gradle.

GnuPG

Signing must be done via PGP. The tool to use is GnuPG.

  1. On Debian or Ubuntu, GnuPG is available as pgp or pgp2. For details, see Debian GnuPG. Make sure to follow best practices as much as possible.

  2. On Mac, install and use GPG Suite.

For detailed instructions, see the excellent page of Working with PGP Signatures.

The signing plugin

Gradle's signing plugin is easy to set up.

Add the following to build.gradle,

    apply plugin: 'signing'
    signing {
        sign configurations.archives
    }

Then, in the file ~/.gradle/gradle.properties in the user's home directory, add the signing signatory,

    signing.keyId=24875D73
    signing.password=secret
    signing.secretKeyRingFile=/Users/me/.gnupg/secring.gpg

The location of this file is the Gradle's user home. It can be specified by the $GRADLE_USER_HOME environment variable. Default is ~/.gradle/. As we are adding sensitive information, make sure only the current user has access to this gradle.properties file.

Note, if the signing plugin complains the key ID is too long, you can get the key ID in short format by using gpg --list-keys --keyid-format short. Or just use the last 8 characters of the long ID.

Note the signing plugin claims to support subkeys out of the box. So, for Gradle, no need to remove subkeys. Just use them instead of the primary key.

Travis CI

The signing signatory are all sensitive information. Uploading them to CI services like Travis CI poses new challenges.

First, the key pairs are for personal use. The secring.gpg file is the entire key ring of all the private keys. Instead, we should use a devoted keyring just for artifacts signing. To achieve that, we can use a devoted OS user just for this purpose. Or we can do it on a virtual machine and make it portable.

Second, the signing password and the signing keyring file must be sufficiently encrypted. We can use the travis command-line to encrypt passwords or to encrypt files.

Third, the signing signatory need to be passed by Travis to Gradle. Gradle supports tiered properties. Environment variables can be passed in as Gradle properties. At the same time, Travis CI can set environment variables in repository settings. A twist here is that Travis CI uses Ubuntu. The names of the environment variables must be all caps. So ORG_GRADLE_PROJECT_signing.keyId=24875D73 would not work. A workaround I've found is to read the environment variables and pass the values on command-line. So in .travis.yml invoke gradle with the signatory read from the environment,

    gradle clean build publish
      -Psigning.keyId="${SIGNING_KEY_ID}"
      -Psigning.password="${SIGNING_PASSWORD}"
      -Psigning.secretKeyRingFile="${SIGNING_SECRET_KEY_RING_FILE}";

Publishing

(To be written)

References

Debian GnuPG Setup

# Install tools
sudo apt-get install gnupg-curl

# Set up key server cert
wget https://sks-keyservers.net/sks-keyservers.netCA.pem
mv sks-keyservers.netCA.pem sks-keyservers.netCA.crt
sudo mv sks-keyservers.netCA.crt /usr/local/share/ca-certificates
# No need to install as we will reference it directly in the config
# sudo update-ca-certificates

# GnuPG config
wget https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf
mv ~/.gnupg/gpg.conf ~/.gnupg/gpg.conf.old
mv gpg.conf ~/.gnupg

##### Edit ~/.gunpg/gpg.conf #####

# Install ssh server for scp the ring file
sudo apt-get install openssh-server

Debian GnuPG Use

  1. gpg2 --version
  2. gpg2 --gen-key
  3. Needs disk activities for entropy, open a new terminal dd if=/dev/sda of=/dev/zero
  4. gpg2 --list-keys
  5. gpg2 --list-secret-keys
  6. gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys <kid> distribute the public key

Travis Encrypt

  1. travis login --github-token <token> if you have set up an access token
  2. travis encrypt-file secring.gpg -add note it will ask to confirm the repo
    Detected repository as neurite/config, is this correct? |yes| no 
    Repository slug (owner/name): |neurite/config| computelab/config
    encrypting secring.gpg for computelab/config
    storing result as secring.gpg.enc
    storing secure env variables for decryption

Clone this wiki locally