Skip to content

How to create a gpg key

Jump to bottom Edit New page
Will Sargent edited this page May 4, 2020 · 9 revisions

Why spend time on this?

No matter what publishing platform you use, it's important that you sign every release you cut. Signing releases ensure users that your software has not been manipulated by third parties.

This process is so important that some repositories like Maven Central do not allow you to release software if it's not signed. Whether you publish to Maven Central or not, we strongly encourage you to follow this guide.

If you already have a personal gpg key, we recommend that you create a different one for publishing in your CI to minimize your risk in case it becomes exposed. If something happens to this key, it should not enable others to read your private email.

Steps to create your own gpg key

For Unix systems (Linux / OSX / *BSD)

  1. Create a directory to store your CI keys and cd into it: mkdir ci-keys && cd ci-keys.
  2. Generate your key with gpg --homedir . --gen-key and enter your details. You should avoid using special characters or spaces if you are deploying using Travis CI, as escaping is necessary.

Now that you have created your key, let's get the ascii files that sbt-pgp will requires us later down the road. In the same directory as before (ci-keys), follow these steps:

  1. Export the public key out of your new key: gpg --homedir . -a --export > pubring.asc.
  2. Export the secret out of your new key: gpg --homedir . -a --export-secret-keys > secring.asc.

This guide has been tested with GnuPG 2.1.21:

gpg (GnuPG) 2.1.21
libgcrypt 1.7.8
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

If you're stuck, this detailed manual can help you out.

For Windows

Read this guide and export your public and secret keys to ASCII files pubring.asc and secring.asc respectively.

Note that in Travis CI, the travis gem will error out and may not be usable on Windows.

Steps to publish your gpg key

To release your software to Maven Central, you need to publish your GPG key in a directory so that others can check that it belongs to your. There are lots of gpg directories, but we recommend the MIT pgp server.

The procedure to publish your gpg public key is as follows:

  1. Visit the website.
  2. Copy-paste the contents of pubring.asc, produced by the previous section, in the form with a "Submit a key" header.
  3. Submit the form.

Done. If there hasn't been any error, your key should be already published to the public gpg server.

Credits

This is a Scala Center project, originally created by jvican. It now powers the Scala Platform sbt plugin and several Scala Center projects. If you find it useful, give the Center a shout-out in our official Twitter account or let us know in our Gitter channel. Your feedback is important and motivates us to keep improving this plugin.

Add a custom sidebar
Clone this wiki locally