Skip to content

docs: add section for gradle signing key #823

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 12, 2024
Merged

docs: add section for gradle signing key #823

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 29 additions & 3 deletions RELEASING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,34 @@ The following list describe the steps necessary to release a new version.
4. Kafka: https://kafka.demo.springwolf.dev/
5. SNS: https://sns.demo.springwolf.dev/
6. SQS: https://sqs.demo.springwolf.dev/
7. STOMP (WebSocket): https://stomp.demo.springwolf.dev/
3. Update `all-contributors` in [README.md](README.md)
4. Remove the `-SNAPHSOT` postfix in `.env`, create a new branch `release/0.X.X` (version number), commit & push
4. Create a new branch `release/1.<minor-version-number>.X`, remove the `-SNAPHSOT` postfix in `.env`, commit & push
5. Run GitHub `Publish releases` pipeline from the newly created release branch
6. Update version number on website
7. Update the version number in `.env` for next snapshot on branch `master`, commit & push
6. Update the version number in `.env` for next snapshot on branch `master`, commit & push
7. Update version number on website
8. Publish the release notes on GitHub (https://github.com/springwolf/springwolf-core/releases)

## GPG Key for signing the release artifacts

A valid and published GPG key is required for publishing to Sonatype maven.

> The current key can be obtained via:
> `gpg --keyserver keyserver.ubuntu.com --search-keys 5A86573F7588809B50EB8EF475ABBF11907B8027`

As documented in [gradle signing plugin](https://docs.gradle.org/current/userguide/signing_plugin.html),
`gpg` is used for artifact signing.

Steps to create a new key:
1. Generate a new GPG key: `gpg --full-generate-key`
2. Get key id: `gpg --list-secret-keys --keyid-format LONG`
3. Export key for backup in secure storage:
- Private key: `gpg --armor --export-secret-key 75ABBF11907B8027 > springwolf.gpg.key`
- Public key: `gpg --armor --export 75ABBF11907B8027 > springwolf.gpg.pub`
- Revocation cert: `gpg --output springwolf.gpg.revoke.asc --gen-revoke 5A86573F7588809B50EB8EF475ABBF11907B8027`
- And your key password
4. Upload key: `gpg --keyserver keyserver.ubuntu.com --send-keys 5A86573F7588809B50EB8EF475ABBF11907B8027`
5. Verify key was uploaded (after a couple seconds): `gpg --keyserver keyserver.ubuntu.com --search-keys 5A86573F7588809B50EB8EF475ABBF11907B8027`
6. Add secret to GitHub:
- `SIGNINGKEY` is the content of `springwolf.gpg.key`
- `SIGNINGPASSWORD` is the password used to generate the key