{"id":19248994,"url":"https://github.com/sbt/sbt-pgp","last_synced_at":"2025-05-15T12:02:32.481Z","repository":{"id":1629630,"uuid":"2349416","full_name":"sbt/sbt-pgp","owner":"sbt","description":"PGP plugin for sbt","archived":false,"fork":false,"pushed_at":"2025-03-13T03:17:33.000Z","size":2024,"stargazers_count":146,"open_issues_count":19,"forks_count":56,"subscribers_count":6,"default_branch":"develop","last_synced_at":"2025-05-15T12:02:12.700Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Scala","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"2600hz-archive/xbar-importer","license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sbt.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2011-09-08T15:58:10.000Z","updated_at":"2025-03-13T03:14:55.000Z","dependencies_parsed_at":"2024-11-16T19:02:52.256Z","dependency_job_id":"7c888774-4267-48ac-99dd-5c3635d664fd","html_url":"https://github.com/sbt/sbt-pgp","commit_stats":{"total_commits":271,"total_committers":34,"mean_commits":7.970588235294118,"dds":0.5350553505535056,"last_synced_commit":"5a37ffb8058c9ae0a21af8399314fb5c47951edd"},"previous_names":[],"tags_count":41,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbt%2Fsbt-pgp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbt%2Fsbt-pgp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbt%2Fsbt-pgp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sbt%2Fsbt-pgp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sbt","download_url":"https://codeload.github.com/sbt/sbt-pgp/tar.gz/refs/heads/develop","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254337612,"owners_count":22054253,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-09T18:11:59.859Z","updated_at":"2025-05-15T12:02:32.429Z","avatar_url":"https://github.com/sbt.png","language":"Scala","readme":"sbt-pgp\n=======\n\nsbt-pgp provides PGP signing for sbt.\n\nSome OSS repositories (e.g. Sonatype) will require that you sign artifacts with publicly available keys prior to release. The primary purpose of sbt-pgp is to let you sign the artifacts using a GPG key.\n\nSetup\n-----\n\n[![sbt-pgp Scala version support](https://index.scala-lang.org/sbt/sbt-pgp/sbt-pgp/latest-by-scala-version.svg?targetType=Sbt)](https://index.scala-lang.org/sbt/sbt-pgp/sbt-pgp)\n\n\nAdd the following to your `project/plugins.sbt` file:\n\n```scala\naddSbtPlugin(\"com.github.sbt\" % \"sbt-pgp\" % \"x.y.z\")\n```\n\n**Note**: We changed the organization from `\"com.jsuereth\"` to `\"com.github.sbt\"`.\n\nUsage\n-----\n\nThere are two modes of use:\n\n- By default sbt-pgp 2.0.0+ will use the `gpg` command-line utility (GNU Privary Guard, \"GnuPG\"). It provides great support and is available on many platforms. You'll need to make sure this is installed prior to usage as this dependency is not provided.\n- Prior to sbt-pgp 2.0.0, `sbt-pgp` used the [Bouncy Castle](http://www.bouncycastle.org/) library, an implementation of PGP that is included with the plugin. It is a Java-only solution that gives the plugin great flexibility in what it can do and how it performs it.\n\n### Install GnuPG (or GNU Privacy Guard, GPG)\n\nFirst, please check that you have a recent version of GPG (GNU Privary Guard, \"GnuPG\") on your system. If not, install it from \u003chttp://www.gnupg.org/download/\u003e or your favorite package manager. For macOS, we recommend using [GPG Suite](https://gpgtools.org/).\n\n```\n$ gpg --version\ngpg (GnuPG/MacGPG2) 2.2.17\nlibgcrypt 1.8.4\nCopyright (C) 2019 Free Software Foundation, Inc.\nLicense GPLv3+: GNU GPL version 3 or later \u003chttps://gnu.org/licenses/gpl.html\u003e\nThis is free software: you are free to change and redistribute it.\nThere is NO WARRANTY, to the extent permitted by law.\n\nHome: /Users/xxxx/.gnupg\nSupported algorithms:\nPubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA\nCipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,\n CAMELLIA128, CAMELLIA192, CAMELLIA256\nHash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224\nCompression: Uncompressed, ZIP, ZLIB, BZIP2\n```\n\nYou should also have a program named `gpg-agent` running in the background.\n\n```\n$ ps aux | grep gpg\need3si9n 5157 0.0 0.0 4317860 972 ?? Ss 7:17PM 0:00.02 gpg-agent --homedir /Users/eed3si9n/.gnupg --use-standard-socket --daemon\need3si9n 2734 0.0 0.0 4300360 732 ?? S 6:56PM 0:00.02 /bin/bash /usr/local/MacGPG2/libexec/shutdown-gpg-agent\need3si9n 5291 0.0 0.0 4277252 824 s002 S+ 7:24PM 0:00.00 grep gpg\n```\n\nIf you're using [GPG Suite](https://gpgtools.org/), navigate to Preferences \u003e GPG Suite, and uncheck \"Store in macOS Keychain\" to prevent your passphrase from being stored on your laptop.\n\n### Working with PGP signatures\n\nSee [Working with PGP Signatures](https://central.sonatype.org/pages/working-with-pgp-signatures.html) for details.\n\nA key pair allows you to sign artifacts with GPG and users can subsequently validate that artifacts have been signed by you. You can generate a key with.\n\n```\n$ gpg --gen-key\n```\n\nSelect the default value when asked for the kind (RSA) and the size (2048bit) of the key. The time of validity for the key defaults to never expire. However it is commonly suggested to use a value of less than 2 years. Once they key is expired you can extend it, provided you own the key and therefore know the passphrase.\n\nOnce key pair is generated, we can list them along with any other keys installed:\n\n```\n$ gpg --list-keys\n/Users/xxx/.gnupg/pubring.gpg\n----------------------------------\npub dsa2048 2010-08-19 [SC] [expires: 2020-06-15]\n 85E38F69046B44C1EC9FB07B76D78F0500D026C4\nuid [ultimate] GPGTools Team \u003cteam@gpgtools.org\u003e\nuid [ultimate] GPGTools Project Team (Official OpenPGP Key) \u003cgpgtools-org@lists.gpgtools.org\u003e\nuid [ultimate] GPGMail Project Team (Official OpenPGP Key) \u003cgpgmail-devel@lists.gpgmail.org\u003e\nuid [ultimate] [jpeg image of size 5871]\nsub elg2048 2010-08-19 [E] [expires: 2020-06-15]\nsub rsa4096 2014-04-08 [S] [expires: 2024-01-02]\n\npub rsa2048 2012-02-14 [SCEA] [expires: 2028-02-09]\n 2BE67AC00D699E04E840B7FE29967E804D85663F\nuid [ultimate] Eugene Yokota \u003ceed3si9n@gmail.com\u003e\nsub rsa2048 2012-02-14 [SEA] [expires: 2028-02-09]\n\n....\n```\n\nTo list the private keys you can use:\n\n```\n$ gpg --list-secret-keys\n/Users/xxx/.gnupg/pubring.gpg\n----------------------------------\nsec rsa2048 2012-02-14 [SCEA] [expires: 2028-02-09]\n 2BE67AC00D699E04E840B7FE29967E804D85663F\nuid [ultimate] Eugene Yokota \u003ceed3si9n@gmail.com\u003e\nssb rsa2048 2012-02-14 [SEA] [expires: 2028-02-09]\n```\n\nSince other people need your **public** key to verify your files, you have to distribute your public key to a key server:\n\n```\n$ gpg --keyserver keyserver.ubuntu.com --send-keys 2BE67AC00D699E04E840B7FE29967E804D85663F\n```\n\n### Importing key pair\n\nIf you have previously created a key pair using sbt-pgp 1.x's `pgp-cmd` for example, your secret key should be at `$HOME/.sbt/gpg/secring.asc`. You can import this to GnuPG as follows:\n\n```\n$ gpg --import $HOME/.sbt/gpg/secring.asc\ngpg: /root/.gnupg/trustdb.gpg: trustdb created\ngpg: key 77098E6A92692949: public key \"foo \u003cfoo@example.com\u003e\" imported\ngpg: key 77098E6A92692949: secret key imported\ngpg: Total number processed: 1\ngpg: imported: 1\ngpg: secret keys read: 1\ngpg: secret keys imported:\n\ngpg --list-key\n/root/.gnupg/pubring.kbx\n------------------------\npub rsa2048 2019-09-15 [SCEA]\n 965F25CC72DF4F2A4358AC9B77098E6A92692949\nuid [ unknown] foo \u003cfoo@example.com\u003e\n```\n\nNext, see [signing key](#configuration-signing-key) section below to set `965F25CC72DF4F2A4358AC9B77098E6A92692949` as the signing key.\n\n### Publishing from Travis CI\n\nSee [sbt-ci-release](https://github.com/olafurpg/sbt-ci-release).\n\n### Publishing Artifacts\n\nTo publish signed artifacts, use `publishSigned` or `publishLocalSigned`.\n\n### Skipping publishing\n\nTo skip the publish step for a subproject, set `publish / skip` to `true`.\n\n```\npublish / skip := true\n```\n\n### PIN entry (passphrase entry)\n\nIf you've configured your gpg-agent with [GPG Suite](https://gpgtools.org/), it should ask for the passphrase when you run `publishLocalSigned`:\n\n![pinentry](doc/pinentry.png)\n\nNote: It might take 30s or more for the dialog to show up.\n\nOtherwise, add `pinentry-program` line in `~/.gnupg/gpg-agent.conf` with the appropriate path to a pinentry program:\n\n```\npinentry-program /usr/bin/pinentry\ndefault-cache-ttl 600\nmax-cache-ttl 7200\n```\n\nYou might need to restart the gpg-agent for the setting to take effect.\n\n#### Automating PIN entry (passphrase Entry)\n\nsbt-pgp 1.x has provided ways of storing passphrase using `pgpPassphrase` or in the credentials, but we no longer recommend using these methods on your laptop.\n\nOn CI environment like Travis CI, you might want to automate passphrase entry. For that purpose sbt-pgp supports `PGP_PASSPHRASE` environment variable following [olafurpg/sbt-ci-release](https://github.com/olafurpg/sbt-ci-release).\n\n### Configuration: Signing Key\n\nBy default, all signing operations will use `gpg`'s default key. A specific key can be used by setting sbt `Credentials` for the host \"gpg\".\n\n```scala\ncredentials += Credentials(\n \"GnuPG Key ID\",\n \"gpg\",\n \"2BE67AC00D699E04E840B7FE29967E804D85663F\", // key identifier\n \"ignored\" // this field is ignored; passwords are supplied by pinentry\n)\n```\n\n**Note**: This follows the convention set by [jodersky/sbt-gpg](https://github.com/jodersky/sbt-gpg).\n\nYou can also use the `usePgpKeyHex` method.\n\n```scala\nusePgpKeyHex(\"2BE67AC00D699E04E840B7FE29967E804D85663F\")\n```\n\n### OpenPGP Support\n\nIf you are using a [Yubikey 4](https://support.yubico.com/support/solutions/articles/15000006486-yubikey-4) or another smartcard that [supports OpenPGP](https://incenp.org/notes/2016/openpgp-card-implementations.html), then you may have private keys implemented directly on the smartcard rather than using the gpg keyring. In this situation, you will use `gpg-agent` and a pinentry (`pinentry-mac`, `pinentry-qt`, `pinentry-curses` etc) rather than a passphrase. Set `useGpgPinentry := true` in your `build.sbt` settings to configure `sbt-pgp` appropriately.\n\n```scala\nGlobal / useGpgPinentry := true\n```\n\nNote that `sbt-pgp` only supports OpenPGP through the GPG command line tool -- it is not available through bouncycastle. In addition, you may need to explicitly [enable support for OpenPGP on the Yubikey 4](https://github.com/drduh/YubiKey-Guide).\n\n### Configuration: gpg command-line\n\n`sbt-pgp` needs to know where the `gpg` executable is to run. It will look for a either a `gpg` or `gpg.exe` executable on your `PATH` depdending on your platform. To configure a different location, place the following in your `~/.sbt/gpg.sbt` file:\n\n```scala\nGlobal / gpgCommand := \"/path/to/gpg\"\n```\n\nBy default `sbt-pgp` will use the default private keys from the standard gpg keyrings.\nYou can configure the key ring you use with the `pgpKeyRing` setting.\n\n```scala\nGlobal / pgpKeyRing := Some(file(\"/home/me/pgp/pubring.gpg\"))\n```\n\nIf specificied, this is passed to `gpg` command as `--no-default-keyring --keyring \u003cvalue\u003e`.\n\n### Validating PGP Keys\n\nThe plugin can be used to validate the PGP signatures of the dependencies of the project you're using. To validate these signatures, simply use the `checkPgpSignatures` task:\n\n```\n\u003e checkPgpSignatures\n[info] Resolving org.scala-lang#scala-library;2.9.1 ...\n...\n[info] ----- PGP Signature Results -----\n[info] com.novocode : junit-interface : 0.7 : jar [MISSING]\n[info] javax.transaction : jta : 1.0.1B : jar [MISSING]\n[info] org.scala-lang.plugins : continuations : 2.9.1 : jar [MISSING]\n[info] org.apache.derby : derby : 10.5.3.0_1 : jar [UNTRUSTED(0x98e21827)]\n[error] {file:/home/josh/projects/typesafe/test-signing/}test-gpg/*:check-pgp-signatures: Some artifacts have bad signatures or are signed by untrusted sources!\n[error] Total time: 2 s, completed Jan 23, 2012 12:03:28 PM\n```\n\nIn the above output, the signature for derby is from an untrusted key (id: `0x98e21827`). You can import this key into your public key ring, and then the plugin will trust artifacts from that key. The public, by default, accepts any keys included in your public key ring file.\n\n### Using Bouncy Castle (deprecated)\n\nPrior to sbt-pgp 2.0.0, `sbt-pgp` used the [Bouncy Castle](http://www.bouncycastle.org/) library by default. If you cant to use `gpg` command setting `useGpg` to `false` will use the Bouncy Castle mode:\n\n```scala\nGlobal / useGpg := false\n```\n\nOr by setting `SBT_PGP_USE_GPG` environment variable to `0`.\n\nWhen using Bouncy Castle modue, `sbt-pgp` will ask for your password once, and cache it for the duration of the sbt process. The prompt will look something like this:\n\n```\nPlease enter PGP passphrase (or ENTER to abort): ******\n```\n","funding_links":[],"categories":["Table of Contents","Sbt plugins"],"sub_categories":["Sbt plugins"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbt%2Fsbt-pgp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsbt%2Fsbt-pgp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsbt%2Fsbt-pgp/lists"}