tycho-gpg:sign-p2-artifacts
Full name:
org.eclipse.tycho:tycho-gpg-plugin:4.0.5:sign-p2-artifacts
Description:
Modifies the p2 metadata (artifacts.xml
) to add a PGP signature to each included artifact. A signature is added as a pgp.signatures
property on the artifact metadata, in armored form; and the public key of the signer is optionally added
as a pgp.publicKeys
property on the repository metadata, in armored form, and/or optionally added
as a pgp.publicKeys
property on the artifact metadata, in armored form.
See also: Using PGP signatures in p2
Attributes:
- Requires a Maven project to be executed.
- The goal is not marked as thread-safe and thus does not support parallel builds.
- Binds by default to the lifecycle phase:
prepare-package
.
Optional Parameters
Name | Type | Since | Description |
---|---|---|---|
<addPublicKeyToArtifacts> |
boolean |
- |
Configure to true to add the public key of the signature to each signed artifact's metadata.Default: true Alias: addPublicKeysToArtifacts |
<addPublicKeyToRepo> |
boolean |
- |
Configure to true to add the public key of each signature to the repository's metadata.Default: true |
<defaultKeyring> |
boolean |
1.2 |
Whether to add the default keyrings from gpg's home directory to the list of used keyrings. Default: true User Property: gpg.defaultKeyring |
<executable> |
String |
1.1 |
The path to the GnuPG executable to use for artifact signing. Defaults to either "gpg" or "gpg.exe" depending on the operating system. User Property: gpg.executable |
<forceSignature> |
List<String> |
- |
Configured to specify artifacts that should be signed independently of other settings, e.g., skipIfJarsigned , skipIfJarsignedAndAnchored , and skipBinaries . |
<gpgArguments> |
List<String> |
1.5 |
Sets the arguments to be passed to gpg. Example:
<gpgArguments> <arg>--no-random-seed-file</arg> <arg>--no-permission-warning</arg> </gpgArguments> |
<homedir> |
File |
1.0 |
The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg .User Property: gpg.homedir |
<keyname> |
String |
- |
The "name" of the key to sign with. Passed to gpg as --local-user .User Property: gpg.keyname |
<lockMode> |
String |
1.5 |
The lock mode to use when invoking gpg. By default no lock mode will be specified. Valid values are once , multiple and never . The lock mode gets translated into the corresponding --lock-___ command line argument. Improper usage of this option may lead to data and key corruption.See also: the --lock-options User Property: gpg.lockMode |
<passphrase> |
String |
- |
The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration. User Property: gpg.passphrase |
<passphraseServerId> |
String |
1.6 |
Server id to lookup the passphrase under Maven settings. Default: gpg.passphrase User Property: gpg.passphraseServerId |
<pgpKeyBehavior> |
SignRepositoryArtifactsMojo$PGPKeyBehavior |
- |
Configures how to generate PGP signatures for artifacts that already have one or more PGP signatures, skip to generate no new PGP signature, replace to replace the existing signature(s) with a new signature, and merge to add a new signature to any existing signature(s).Default: skip |
<publicKeyring> |
String |
1.2 |
The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory.User Property: gpg.publicKeyring |
<repository> |
File |
- |
The repository location. Default: ${project.build.directory}/repository |
<secretKeyring> |
String |
1.2 |
The path to a secret keyring to add to the list of keyrings. By default, only the User Property: gpg.secretKeyring |
<secretKeys> |
File |
- |
Configure the Bouncy Castle signer to load the secret keys, stored in armored from, from the specified file. This avoids needing to import the keys into GnuPG's keybox.User Property: tycho.pgp.signer.bc.secretKeys |
<signer> |
String |
- |
Configure the signer used for PGP signing. Currently supported are gpg for launching the native gpg executable, and bc for using Bouncy Castle libraries. The latter is much faster and it can sign in parallel, so is very much faster.Default: gpg User Property: tycho.pgp.signer |
<skipBinaries> |
boolean |
- |
Configure to true to generate a PGP signature for binary artifacts.Default: true |
<skipIfJarsigned> |
boolean |
- |
Configure to true to generate PGP signature only for artifacts that are not signed by a jarsigner.Default: true |
<skipIfJarsignedAndAnchored> |
boolean |
- |
Configure to true to generate a PGP signature only for artifacts that do not contain a signature that's anchored in Java's trust store, i.e., anchored in the JDK's cacerts. A JCA certificate, for example, is never anchored.Default: true |
<useAgent> |
boolean |
- |
Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore.Default: true User Property: gpg.useagent |
Parameter Details
<addPublicKeyToArtifacts>
true
to add the public key of the signature to each signed artifact's metadata.- Type:
boolean
- Required:
report.plugin.goal.no
- Default:
true
- Alias:
addPublicKeysToArtifacts
<addPublicKeyToRepo>
true
to add the public key of each signature to the repository's metadata.- Type:
boolean
- Required:
report.plugin.goal.no
- Default:
true
<defaultKeyring>
- Type:
boolean
- Since:
1.2
- Required:
report.plugin.goal.no
- User Property:
gpg.defaultKeyring
- Default:
true
<executable>
- Type:
java.lang.String
- Since:
1.1
- Required:
report.plugin.goal.no
- User Property:
gpg.executable
<forceSignature>
skipIfJarsigned
, skipIfJarsignedAndAnchored
, and skipBinaries
.- Type:
java.util.List<java.lang.String>
- Required:
report.plugin.goal.no
<gpgArguments>
<gpgArguments> <arg>--no-random-seed-file</arg> <arg>--no-permission-warning</arg> </gpgArguments>
- Type:
java.util.List<java.lang.String>
- Since:
1.5
- Required:
report.plugin.goal.no
<homedir>
~/.gnupg
or %APPDATA%/gnupg
.- Type:
java.io.File
- Since:
1.0
- Required:
report.plugin.goal.no
- User Property:
gpg.homedir
<keyname>
--local-user
.- Type:
java.lang.String
- Required:
report.plugin.goal.no
- User Property:
gpg.keyname
<lockMode>
once
, multiple
and never
. The lock mode gets translated into the corresponding --lock-___
command line argument. Improper usage of this option may lead to data and key corruption.See also: the --lock-options
- Type:
java.lang.String
- Since:
1.5
- Required:
report.plugin.goal.no
- User Property:
gpg.lockMode
<passphrase>
- Type:
java.lang.String
- Required:
report.plugin.goal.no
- User Property:
gpg.passphrase
<passphraseServerId>
- Type:
java.lang.String
- Since:
1.6
- Required:
report.plugin.goal.no
- User Property:
gpg.passphraseServerId
- Default:
gpg.passphrase
<pgpKeyBehavior>
skip
to generate no new PGP signature, replace
to replace the existing signature(s) with a new signature, and merge
to add a new signature to any existing signature(s).- Type:
org.eclipse.tycho.gpg.SignRepositoryArtifactsMojo$PGPKeyBehavior
- Required:
report.plugin.goal.no
- Default:
skip
<publicKeyring>
pubring.gpg
from gpg's home directory is considered. Use this option (and defaultKeyring
if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory.- Type:
java.lang.String
- Since:
1.2
- Required:
report.plugin.goal.no
- User Property:
gpg.publicKeyring
<repository>
- Type:
java.io.File
- Required:
report.plugin.goal.no
- Default:
${project.build.directory}/repository
<secretKeyring>
The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg
from gpg's home directory is considered. Use this option (in combination with publicKeyring
and defaultKeyring
if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory.
- Type:
java.lang.String
- Since:
1.2
- Required:
report.plugin.goal.no
- User Property:
gpg.secretKeyring
<secretKeys>
signer
to load the secret keys, stored in armored from, from the specified file. This avoids needing to import the keys into GnuPG's keybox.- Type:
java.io.File
- Required:
report.plugin.goal.no
- User Property:
tycho.pgp.signer.bc.secretKeys
<signer>
gpg
for launching the native gpg
executable, and bc
for using Bouncy Castle libraries. The latter is much faster and it can sign in parallel, so is very much faster.- Type:
java.lang.String
- Required:
report.plugin.goal.no
- User Property:
tycho.pgp.signer
- Default:
gpg
<skipBinaries>
true
to generate a PGP signature for binary artifacts.- Type:
boolean
- Required:
report.plugin.goal.no
- Default:
true
<skipIfJarsigned>
true
to generate PGP signature only for artifacts that are not signed by a jarsigner.- Type:
boolean
- Required:
report.plugin.goal.no
- Default:
true
<skipIfJarsignedAndAnchored>
true
to generate a PGP signature only for artifacts that do not contain a signature that's anchored in Java's trust store, i.e., anchored in the JDK's cacerts. A JCA certificate, for example, is never anchored.- Type:
boolean
- Required:
report.plugin.goal.no
- Default:
true
<useAgent>
--use-agent
or --no-use-agent
to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore.- Type:
boolean
- Required:
report.plugin.goal.no
- User Property:
gpg.useagent
- Default:
true