-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gpg and sigstore sign publications #602
Conversation
build.gradle.kts
Outdated
allprojects { | ||
version = rootProject.version | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was conditionally adding -SNAPSHOT
when building non-release version. I believe we would like to keep building -SNAPSHOT
versions by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah gotcha. I can fix that.
We explicitly skip signing Line 84 in 5f17fc9
However, Gradle treats almost everything to be PGP signable, and I doubt there's currently a way to opt-out: https://github.com/gradle/gradle/blob/6cd94ba7c5e1c4672b59b0f6a192f92855fb0043/platforms/software/signing/src/main/java/org/gradle/plugins/signing/Sign.java#L183-L184 @ljacomet , does it mean we should file an issue to Gradle so it could exclude certain files from PGP-signing? A workaround could be to avoid calling Gradle's Line 84 in 5f17fc9
sign(PublishArtifact) after we check it is not a sigstore one.
Another workaround could be removing the unwanted signatures by calling |
Signed-off-by: Appu Goundan <[email protected]>
09c766f
to
e7e41a7
Compare
I don't mind doing |
We might factor and ship this as a helper plugin so the users could produce .sigstore without .asc as well. |
unfortunately the artifacts don't all to seem be available in the afterEvaluate block. I can only modify the .module and .pom files? |
|
@vlsi, how about we merge this for now and work on the ignoring .sigstore files in an update? |
fyi @vlsi I removed the stage/vote plugin because it seemed a bit heavy weight for what I was looking for. Just simple signing.
In my tests, also these setup signing .sigstore with PGP. I'm not sure what I'm misisng.