How to upload signed artifacts with GPG

Create a file called "gpg.rake" under the tasks directory of your project and paste the following code in it,

module GPG
  extend self

  def sign_task(pkg)
    file(pkg.to_s + '.gpg') do
      cmd = 'gpg',
             '--local-user', ENV['GPG_USER'],
             '--armor',
             '--output', pkg.to_s + '.gpg',
             '--detach-sig', pkg
      cmd += ['--passphrase', ENV['GPG_PASS']] if ENV['GPG_PASS']
      cmd << { :verbose => true }
      sh *cmd
    end
  end

  def sign_and_upload(pkg)
    artifact = Buildr.artifact(pkg.to_spec_hash.merge(:type => "#{pkg.type}.gpg"))
    artifact.from sign_task(pkg)
    task(:upload).enhance [artifact.upload_task]
  end
end

Then in your Buildfile, simply call the sign_and_upload method on the packages you want to sign. For example,

define "my-project" do
  ...

  # sign and upload a single artifact
  GPG.sign_and_upload package(:jar)


  # sign and upload all the project's artifacts
  packages.each { |pkg| GPG.sign_and_upload(pkg) }
end

Make sure you have the gpg program in your PATH and the GPG_USER environment variable defined,

export GPG_USER=user@example.org

or

buildr upload GPG_USER=user@example.org

That's it. You're now publishing GPG signed artifacts!

  • No labels