Skip to content

Commit

Permalink
docs: add section for gradle signing key
Browse files Browse the repository at this point in the history
  • Loading branch information
timonback committed Jun 29, 2024
1 parent c476cbf commit 4aabc7f
Showing 1 changed file with 29 additions and 3 deletions.
32 changes: 29 additions & 3 deletions RELEASING.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,34 @@ The following list describe the steps necessary to release a new version.
4. Kafka: https://kafka.demo.springwolf.dev/
5. SNS: https://sns.demo.springwolf.dev/
6. SQS: https://sqs.demo.springwolf.dev/
7. STOMP (WebSocket): https://stomp.demo.springwolf.dev/
3. Update `all-contributors` in [README.md](README.md)
4. Remove the `-SNAPHSOT` postfix in `.env`, create a new branch `release/0.X.X` (version number), commit & push
4. Create a new branch `release/1.<minor-version-number>.X`, remove the `-SNAPHSOT` postfix in `.env`, commit & push
5. Run GitHub `Publish releases` pipeline from the newly created release branch
6. Update version number on website
7. Update the version number in `.env` for next snapshot on branch `master`, commit & push
6. Update the version number in `.env` for next snapshot on branch `master`, commit & push
7. Update version number on website
8. Publish the release notes on GitHub (https://github.com/springwolf/springwolf-core/releases)

## GPG Key for signing the release artifacts

A valid and published GPG key is required for publishing to Sonatype maven.

> The current key can be obtained via:
> `gpg --keyserver keyserver.ubuntu.com --search-keys 5A86573F7588809B50EB8EF475ABBF11907B8027`
As documented in [gradle signing plugin](https://docs.gradle.org/current/userguide/signing_plugin.html),
`gpg` is used for artifact signing.

Steps to create a new key:
1. Generate a new GPG key: `gpg --full-generate-key`
2. Get key id: `gpg --list-secret-keys --keyid-format LONG`
3. Export key for backup in secure storage:
- Private key: `gpg --armor --export-secret-key 75ABBF11907B8027 > springwolf.gpg.key`
- Public key: `gpg --armor --export 75ABBF11907B8027 > springwolf.gpg.pub`
- Revocation cert: `gpg --output springwolf.gpg.revoke.asc --gen-revoke 5A86573F7588809B50EB8EF475ABBF11907B8027`
- And your key password
4. Upload key: `gpg --keyserver keyserver.ubuntu.com --send-keys 5A86573F7588809B50EB8EF475ABBF11907B8027`
5. Verify key was uploaded (after a couple seconds): `gpg --keyserver keyserver.ubuntu.com --search-keys 5A86573F7588809B50EB8EF475ABBF11907B8027`
6. Add secret to GitHub:
- `SIGNINGKEY` is the content of `springwolf.gpg.key`
- `SIGNINGPASSWORD` is the password used to generate the key

0 comments on commit 4aabc7f

Please sign in to comment.