GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → bsideup → tinsalver

bsideup / tinsalver

Licence: other
Maven Central release helper to keep your private keys private

Programming Languages

javascript
184084 projects - #8 most used programming language

TinSalver

This is a tiny script to PGP sign Maven artifacts uploaded to Sonatype Nexus.
It is especially helpful for doing releases to Maven Central.

Prerequisites

Make sure that you have an account on https://keybase.io and that you imported your PGP key.

Also, you will need to install and configure Keybase's CLI.

To run the script itself, you will need NodeJS installed on your machine.

Usage

Just release your artifacts to OSSRH Staging as usual (https://oss.sonatype.org/service/local/staging/deploy/maven2 with your Sonatype username/password), without any signatures.

Then, sign them with TinSalver:

With npx:

$ npx github:bsideup/tinsalver sign -u userOrTokenId -p passwordOrToken comexample-java-1234

Or locally:

$ npm install
$ node tinsalver.mjs sign -u userOrTokenId -p passwordOrToken comexample-java-1234

WTF is comexample-java-1234? This is your staging repo id.

You will find a list of all your "open" staging repositories in Sonatype's ultra modern Web UI:
https://oss.sonatype.org/#stagingRepositories

How it works

The script will use Nexus' API to find all artifacts in a given staging repository, download them and call keybase pgp sign to generate signatures.
Then, it will upload generated signatures to the same staging repo (hence the user/password requirement), so that it can be closed & released.

Why does it work?

Staged repositories allow uploading multiple files, meaning that the signatures can be uploaded after the CI run.

This eliminates the need to run signing during the CI, and you can sign the result (with your private key) after CI has finished uploading the artifacts.

But... does it really work?

Yes! Here is a list of projects that were released with this tool:

You can check it yourself:

$ curl https://keybase.io/bsideup/pgp_keys.asc | gpg --import
gpg: key 100306F2B3793BF3: public key "keybase.io/bsideup <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
$ 
$ wget -q https://repo1.maven.org/maven2/com/github/docker-java/docker-java-api/3.2.9/docker-java-api-3.2.9.pom{,.asc}
$ 
$ gpg --verify docker-java-api-3.2.9.pom.asc docker-java-api-3.2.9.pom
gpg: Signature made Do 17 Jun 17:22:15 2021 CEST
gpg:                using RSA key BF7CC7DEFE9389D7
gpg: Good signature from "keybase.io/bsideup <[email protected]>" [unknown]

But... Why?

Bintray was an amazing way to release to Maven Central, but it is no longer available.

As I didn't want to put my GPG private key on CI (yes, even as a secret. Yes, I know about the GHA Environments :D), I started thinking "is it possible to do what Bintray did for us, but... manually?". You're reading the result's README.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].