{"id":16371100,"url":"https://github.com/jodersky/sbt-gpg","last_synced_at":"2025-05-12T03:32:13.971Z","repository":{"id":47406524,"uuid":"129035930","full_name":"jodersky/sbt-gpg","owner":"jodersky","description":"Simple and secure artifact signing for sbt.","archived":false,"fork":false,"pushed_at":"2024-09-03T21:33:35.000Z","size":55,"stargazers_count":49,"open_issues_count":3,"forks_count":3,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-31T23:51:08.425Z","etag":null,"topics":["gpg","sbt-plugin"],"latest_commit_sha":null,"homepage":null,"language":"Scala","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jodersky.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-04-11T04:50:27.000Z","updated_at":"2025-02-14T23:10:24.000Z","dependencies_parsed_at":"2024-10-28T09:13:00.494Z","dependency_job_id":"f74c70be-79a0-424e-8961-87ed3d8bde60","html_url":"https://github.com/jodersky/sbt-gpg","commit_stats":{"total_commits":36,"total_committers":3,"mean_commits":12.0,"dds":"0.33333333333333337","last_synced_commit":"efcba49fc9d8e07d84f05b5d48386f72bbb81e1a"},"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jodersky%2Fsbt-gpg","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jodersky%2Fsbt-gpg/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jodersky%2Fsbt-gpg/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jodersky%2Fsbt-gpg/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jodersky","download_url":"https://codeload.github.com/jodersky/sbt-gpg/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253668121,"owners_count":21944985,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gpg","sbt-plugin"],"created_at":"2024-10-11T03:07:00.107Z","updated_at":"2025-05-12T03:32:13.647Z","avatar_url":"https://github.com/jodersky.png","language":"Scala","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Build Status](https://travis-ci.org/jodersky/sbt-gpg.svg?branch=master)](https://travis-ci.org/jodersky/sbt-gpg)\n\n# sbt-gpg\n\nSimple and secure artifact signing for sbt.\n\nThis sbt plugin aims to make artifact signing simple and\nunobtrusive. It is guided by two core ideas:\n\n1. easy configuration with sane defaults\n2. use of standard cryptography tools (gpg)\n\nThe motivation is that these principles are both essential for\npromoting secure builds.\n\n## Highlights\n\n- Uses the system command `gpg` to do all operations. *This enables\n  advanced features such as use of smartcards, key splitting, or cutting-edge\n  ciphers.*\n\n- Hooks into the `publish` and `publishLocal` tasks. *All artifacts\n  will be signed; there is no need to run a separate `publishSigned`\n  task.*\n\n- Unobtrusive configuration. *Key selection can be done through sbt's\n  `credentials` mechanism, thus enabling global configuration without\n  the need of adding a global plugin.*\n\n- Works out-of-the-box. *`publishLocal` falls back to unsigned artifacts\n  in case key material cannot be found, after emitting an explicit\n  warning. `publish` will fail the build by default if signing fails to avoid accidentally publishing unsigned artifacts, though you can override this with a setting.*\n  \n## Requirements\n\n- sbt version \u003e= 1.0.0\n- gpg installed on user's machine (this requirement won't get in the\n  way of a user's productivity; missing gpg will simply disable the\n  functionality provided by this plugin)\n\n## Getting started\nLatest available tag: [![Scaladex](https://index.scala-lang.org/jodersky/sbt-gpg/latest.svg)](https://index.scala-lang.org/jodersky/sbt-gpg)\n```sbt\naddSbtPlugin(\"io.crashbox\" % \"sbt-gpg\" % \"\u003clatest_tag\u003e\")\n```\nCopy the above snippet to an sbt configuration file. E.g.\n\n- `project/plugins.sbt` to enable the plugin on a per-project basis\n- `~/.sbt/1.0/plugins/gpg.sbt` to enable the plugin globally (not recommended)\n\nThat's it! The autoplugin \"SbtGpg\" will now be enabled for the given\nproject(s). It will modify the `publish` and `publishLocal` tasks to\nalways include signatures of all published artifacts.\n\nThe default configuration will pick up local GPG settings. See the\nnext section to find out how to customize the plugin.\n\n## Configuration\n\n### Signing key\nBy default, all signing operations will use `gpg`'s default key. A\nspecific key can be used by setting sbt `Credentials` for the host\n\"gpg\".\n\n```sbt\ncredentials += Credentials(\n  \"GnuPG Key ID\",\n  \"gpg\",\n  \"4E7DA7B5A0F86992D6EB3F514601878662E33372\", // key identifier\n  \"ignored\" // this field is ignored; passwords are supplied by pinentry\n)\n```\n\nThe user name (3rd field, \"key identifier\" in the snippet above) will\ndetermine the key to use and can be any valid key id, fingerprint,\nemail or user accepted by GPG.\n\n### Other settings\nCheck out the [autoplugin definition](src/main/scala/SbtGpg.scala) for\nan exhaustive list of settings and tasks that can be customized.\n\n## Securely Publishing Locally\n\nSome projects use the \"release from the maintainer's laptop\" strategy. There's nothing *specifically* wrong with this strategy from a security standpoint, so long as the maintainer in question practices good security hygiene and protects their signing key appropriately (hint: *strongly* consider a YubiKey or similar if you maintain OSS projects; it's quite cheap and solves a major security vulnerability).\n\nThis plugin is well-optimized for this publication strategy, and in fact it is the secure default! You don't need to do anything to publish using a local key. Simply invoke `publish` (as described above), securely unlock your key when prompted by `pinentry`, and all of the signing and key management will be handled for you.\n\n## Securely Publishing in Travis (and other CI)\n\n*Note: These instructions are written in terms of Travis, since it is probably the most common CI server in use today, but they are easily applicable to any which supports secure key management.*\n\nIt is very common to configure your CI server (Travis or otherwise) to perform the artifact signing and publication tasks. Conventionally, builds generally rely upon GPG's key encryption functionality to apply a decryption password to the key. The (password-protected) signing key is then checked in with the source code while the decryption password is encrypted and managed by the CI server. At build-time, this password is decrypted and injected into the build using an environment variable, closing the loop and allowing the CI server to securely decrypt the signing key and publish the artifacts.\n\nThis scheme works well when SBT manages signing key passwords and decryption (as in sbt-pgp). It works quite poorly when securely delegating to `pinentry`, as is the case with this plugin.\n\nThe solution is to *not* password-protect the CI signing key and instead encrypt it explicitly using `openssl`.\n\nTo generate a new key without passphrase protection, simply press Enter when prompted for the passphrase and select the option \"Continue without passphrase protection\".\n\nNext, you should have your CI signing key in your local GPG keyring. Let's assume this key has an ID of `1234ABCD`. Run the following commands within your project root:\n\n```bash\n$ gpg --export-secret-keys -a 1234ABCD \u003e key.asc\n$ travis encrypt-file key.asc --add\n$ rm key.asc\n$ git add key.asc.enc\n$ git commit\n```\n\nReplace [`travis encrypt-file`](https://github.com/travis-ci/travis.rb#encrypt-file) with whatever mechanism is required to securely encrypt files for your CI solution. You may omit the `--add` switch and manually modify your `.travis.yml` if you prefer. Travis' file encryption documentation is [here](https://docs.travis-ci.com/user/encrypting-files/).\n\nThese steps handle securely materializing a plain-text (*not* password protected!) secret key on your CI server. The only remaining task is to make it available to `gpg` on your CI so that it can be picked up by sbt-gpg. If using Travis, add the following to your `.travis.yml`:\n\n```yaml\nbefore_script: gpg --import key.asc\n```\n\n### Best Practices\n\nDo **NOT** use your personal GPG key for CI signing! Ever. Your personal private key should never leave your laptop. In fact, it probably shouldn't be on your laptop at all. Strongly consider YubiKey or similar. Never, *ever* enter the decryption password (or smartcard PIN) for your private key into anything other than `pinentry` on your local machine. If you're using MacGPG (which you should be, if using macOS), this dialog will look similar to the following:\n\n![macgpg-pinentry](https://i.imgur.com/ciol75g.png)\n\nIf you are using your CI server to sign artifacts, your CI server should have *its own* public/private key pair, generated by you (or someone else on your team). You probably also want to sign that CI key with your own key, establishing a chain of trust (assuming the CI signing key has ID `1234AVCD`):\n\n```bash\n$ gpg --sign-key 1234ABCD\n$ gpg --send-key 1234ABCD\n```\n\nThis is *not* the same as using your personal key for CI signing!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjodersky%2Fsbt-gpg","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjodersky%2Fsbt-gpg","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjodersky%2Fsbt-gpg/lists"}