sbt/sbt-pgp sbt/sbt-pgp

Build Tools Packaging and Publishing
  • Stars
    star
    141
  • Rank 250,453 (Top 6 %)
  • Language
    Scala
  • License
    Other
  • Created over 12 years ago
  • Updated 2 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
sbt/sbt-pgp
github

sbt

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PGP plugin for sbt

sbt-pgp

sbt-pgp provides PGP signing for sbt.

Some OSS repositories (e.g. Sonatype) will require that you sign artifacts with publicly available keys prior to release. The primary purpose of sbt-pgp is to let you sign the artifacts using a GPG key.

Setup

sbt-pgp Scala version support

Add the following to your project/plugins.sbt file:

addSbtPlugin("com.github.sbt" % "sbt-pgp" % "x.y.z")

Note: We changed the organization from "com.jsuereth" to "com.github.sbt".

Usage

There are two modes of use:

  • By default sbt-pgp 2.0.0+ will use the gpg command-line utility (GNU Privary Guard, "GnuPG"). It provides great support and is available on many platforms. You'll need to make sure this is installed prior to usage as this dependency is not provided.
  • Prior to sbt-pgp 2.0.0, sbt-pgp used the Bouncy Castle library, an implementation of PGP that is included with the plugin. It is a Java-only solution that gives the plugin great flexibility in what it can do and how it performs it.

Install GnuPG (or GNU Privacy Guard, GPG)

First, please check that you have a recent version of GPG (GNU Privary Guard, "GnuPG") on your system. If not, install it from http://www.gnupg.org/download/ or your favorite package manager. For macOS, we recommend using GPG Suite.

$ gpg --version
gpg (GnuPG/MacGPG2) 2.2.17
libgcrypt 1.8.4
Copyright (C) 2019 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /Users/xxxx/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

You should also have a program named gpg-agent running in the background.

$ ps aux | grep gpg
eed3si9n          5157   0.0  0.0  4317860    972   ??  Ss    7:17PM   0:00.02 gpg-agent --homedir /Users/eed3si9n/.gnupg --use-standard-socket --daemon
eed3si9n          2734   0.0  0.0  4300360    732   ??  S     6:56PM   0:00.02 /bin/bash /usr/local/MacGPG2/libexec/shutdown-gpg-agent
eed3si9n          5291   0.0  0.0  4277252    824 s002  S+    7:24PM   0:00.00 grep gpg

If you're using GPG Suite, navigate to Preferences > GPG Suite, and uncheck "Store in macOS Keychain" to prevent your passphrase from being stored on your laptop.

Working with PGP signatures

See Working with PGP Signatures for details.

A key pair allows you to sign artifacts with GPG and users can subsequently validate that artifacts have been signed by you. You can generate a key with.

$ gpg --gen-key

Select the default value when asked for the kind (RSA) and the size (2048bit) of the key. The time of validity for the key defaults to never expire. However it is commonly suggested to use a value of less than 2 years. Once they key is expired you can extend it, provided you own the key and therefore know the passphrase.

Once key pair is generated, we can list them along with any other keys installed:

$ gpg --list-keys
/Users/xxx/.gnupg/pubring.gpg
----------------------------------
pub   dsa2048 2010-08-19 [SC] [expires: 2020-06-15]
      85E38F69046B44C1EC9FB07B76D78F0500D026C4
uid           [ultimate] GPGTools Team <[email protected]>
uid           [ultimate] GPGTools Project Team (Official OpenPGP Key) <[email protected]>
uid           [ultimate] GPGMail Project Team (Official OpenPGP Key) <[email protected]>
uid           [ultimate] [jpeg image of size 5871]
sub   elg2048 2010-08-19 [E] [expires: 2020-06-15]
sub   rsa4096 2014-04-08 [S] [expires: 2024-01-02]

pub   rsa2048 2012-02-14 [SCEA] [expires: 2028-02-09]
      2BE67AC00D699E04E840B7FE29967E804D85663F
uid           [ultimate] Eugene Yokota <[email protected]>
sub   rsa2048 2012-02-14 [SEA] [expires: 2028-02-09]

....

To list the private keys you can use:

$ gpg --list-secret-keys
/Users/xxx/.gnupg/pubring.gpg
----------------------------------
sec   rsa2048 2012-02-14 [SCEA] [expires: 2028-02-09]
      2BE67AC00D699E04E840B7FE29967E804D85663F
uid           [ultimate] Eugene Yokota <[email protected]>
ssb   rsa2048 2012-02-14 [SEA] [expires: 2028-02-09]

Since other people need your public key to verify your files, you have to distribute your public key to a key server:

$ gpg --keyserver keyserver.ubuntu.com --send-keys 2BE67AC00D699E04E840B7FE29967E804D85663F

Importing key pair

If you have previously created a key pair using sbt-pgp 1.x's pgp-cmd for example, your secret key should be at $HOME/.sbt/gpg/secring.asc. You can import this to GnuPG as follows:

$ gpg --import $HOME/.sbt/gpg/secring.asc
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 77098E6A92692949: public key "foo <[email protected]>" imported
gpg: key 77098E6A92692949: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported:

gpg --list-key
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2019-09-15 [SCEA]
      965F25CC72DF4F2A4358AC9B77098E6A92692949
uid           [ unknown] foo <[email protected]>

Next, see signing key section below to set 965F25CC72DF4F2A4358AC9B77098E6A92692949 as the signing key.

Publishing from Travis CI

See sbt-ci-release.

Publishing Artifacts

To publish signed artifacts, use publishSigned or publishLocalSigned.

Skipping publishing

To skip the publish step for a subproject, set publish / skip to true.

publish / skip := true

PIN entry (passphrase entry)

If you've configured your gpg-agent with GPG Suite, it should ask for the passphrase when you run publishLocalSigned:

pinentry

Note: It might take 30s or more for the dialog to show up.

Otherwise, add pinentry-program line in ~/.gnupg/gpg-agent.conf with the appropriate path to a pinentry program:

pinentry-program /usr/bin/pinentry
default-cache-ttl 600
max-cache-ttl 7200

You might need to restart the gpg-agent for the setting to take effect.

Automating PIN entry (passphrase Entry)

sbt-pgp 1.x has provided ways of storing passphrase using pgpPassphrase or in the credentials, but we no longer recommend using these methods on your laptop.

On CI environment like Travis CI, you might want to automate passphrase entry. For that purpose sbt-pgp supports PGP_PASSPHRASE environment variable following olafurpg/sbt-ci-release.

Configuration: Signing Key

By default, all signing operations will use gpg's default key. A specific key can be used by setting sbt Credentials for the host "gpg".

credentials += Credentials(
  "GnuPG Key ID",
  "gpg",
  "2BE67AC00D699E04E840B7FE29967E804D85663F", // key identifier
  "ignored" // this field is ignored; passwords are supplied by pinentry
)

Note: This follows the convention set by jodersky/sbt-gpg.

You can also use the usePgpKeyHex method.

usePgpKeyHex("2BE67AC00D699E04E840B7FE29967E804D85663F")

OpenPGP Support

If you are using a Yubikey 4 or another smartcard that supports OpenPGP, then you may have private keys implemented directly on the smartcard rather than using the gpg keyring. In this situation, you will use gpg-agent and a pinentry (pinentry-mac, pinentry-qt, pinentry-curses etc) rather than a passphrase. Set useGpgPinentry := true in your build.sbt settings to configure sbt-pgp appropriately.

Global / useGpgPinentry := true

Note that sbt-pgp only supports OpenPGP through the GPG command line tool -- it is not available through bouncycastle. In addition, you may need to explicitly enable support for OpenPGP on the Yubikey 4.

Configuration: gpg command-line

sbt-pgp needs to know where the gpg executable is to run. It will look for a either a gpg or gpg.exe executable on your PATH depdending on your platform. To configure a different location, place the following in your ~/.sbt/gpg.sbt file:

Global / gpgCommand := "/path/to/gpg"

By default sbt-pgp will use the default private keys from the standard gpg keyrings. You can configure the key ring you use with the pgpKeyRing setting.

Global / pgpKeyRing := Some(file("/home/me/pgp/pubring.gpg"))

If specificied, this is passed to gpg command as --no-default-keyring --keyring <value>.

Validating PGP Keys

The plugin can be used to validate the PGP signatures of the dependencies of the project you're using. To validate these signatures, simply use the checkPgpSignatures task:

> checkPgpSignatures
[info] Resolving org.scala-lang#scala-library;2.9.1 ...
...
[info] ----- PGP Signature Results -----
[info]                    com.novocode : junit-interface :        0.7 : jar   [MISSING]
[info]               javax.transaction :             jta :     1.0.1B : jar   [MISSING]
[info]          org.scala-lang.plugins :   continuations :      2.9.1 : jar   [MISSING]
[info]                org.apache.derby :           derby : 10.5.3.0_1 : jar   [UNTRUSTED(0x98e21827)]
[error] {file:/home/josh/projects/typesafe/test-signing/}test-gpg/*:check-pgp-signatures: Some artifacts have bad signatures or are signed by untrusted sources!
[error] Total time: 2 s, completed Jan 23, 2012 12:03:28 PM

In the above output, the signature for derby is from an untrusted key (id: 0x98e21827). You can import this key into your public key ring, and then the plugin will trust artifacts from that key. The public, by default, accepts any keys included in your public key ring file.

Using Bouncy Castle (deprecated)

Prior to sbt-pgp 2.0.0, sbt-pgp used the Bouncy Castle library by default. If you cant to use gpg command setting useGpg to false will use the Bouncy Castle mode:

Global / useGpg := false

Or by setting SBT_PGP_USE_GPG environment variable to 0.

When using Bouncy Castle modue, sbt-pgp will ask for your password once, and cache it for the duration of the sbt process. The prompt will look something like this:

Please enter PGP passphrase (or ENTER to abort): ******

More Repositories

1

sbt

sbt, the interactive build tool
Scala
4,685
star
2

sbt-native-packager

sbt Native Packager
Scala
1,582
star
3

sbt-dependency-graph

sbt plugin to create a dependency graph for your project
Scala
1,240
star
4

sbt-jmh

"Trust no one, bench everything." - sbt plugin for JMH (Java Microbenchmark Harness)
Scala
781
star
5

sbt-eclipse

Plugin for sbt to create Eclipse project definitions
Scala
721
star
6

sbt-release

A release plugin for sbt
Scala
638
star
7

sbt-buildinfo

I know this because build.sbt knows this.
Scala
545
star
8

sbt-web

Library for building sbt plugins for the web
Scala
365
star
9

sbt-git

A git plugin for sbt
Scala
343
star
10

zinc

Scala incremental compiler library, used by sbt and other build tools
Scala
324
star
11

docker-sbt

Official sbt docker images
Dockerfile
308
star
12

sbt-dynver

An sbt plugin to dynamically set your version from git
Scala
294
star
13

sbt-ci-release

sbt plugin to automate Sonatype releases from GitHub Actions
Scala
274
star
14

sbt-onejar

Packages your project using One-JARβ„’
Scala
268
star
15

sbt-scalariform

sbt plugin adding support for source code formatting using Scalariform
Scala
259
star
16

sbt-fresh

sbt-plugin to create an opinionated fresh sbt project
Scala
235
star
17

sbt-github-actions

An sbt plugin which makes it easier to build with GitHub Actions
Scala
192
star
18

sbt-header

sbt-header is an sbt plugin for creating file headers, e.g. copyright headers
Scala
190
star
19

sbt-bintray

fresh packages delivered from your sbt console
Scala
180
star
20

sbt-site

Site generation for sbt
Scala
175
star
21

sbt-protobuf

sbt plugin for compiling protobuf files
Scala
173
star
22

sbt-start-script

SBT Plugin to create a "start" script to run the program
Scala
144
star
23

sbt-groll

sbt plugin to roll the Git history
Scala
134
star
24

junit-interface

Implementation of sbt's test interface for JUnit
Java
132
star
25

sbt-unidoc

sbt plugin to create a unified Scaladoc or Javadoc API document across multiple subprojects.
Scala
127
star
26

sbt-jacoco

an sbt plugin for JaCoCo Code Coverage
Scala
123
star
27

sbt-jni

SBT Plugin to ease working with JNI
Scala
122
star
28

sbt-projectmatrix

Scala
116
star
29

sbt-boilerplate

sbt plugin for generating scala.Tuple/Function related boilerplate code
Scala
110
star
30

sbt-proguard

Proguard sbt plugin
Scala
99
star
31

sbt-atmos

sbt plugin for running Typesafe Console in development
Scala
98
star
32

sbt-launcher-package

Packaging for sbt so you can run it.
Scala
90
star
33

sbt-dirty-money

clean Ivy2 cache
Scala
88
star
34

sbt-license-report

Report on licenses used in an sbt project.
Scala
85
star
35

sbt-doge

sbt plugin to aggregate tasks across subprojects and their crossScalaVersions
Scala
78
star
36

website

The source for scala-sbt.org
Scala
75
star
37

sbt-pom-reader

Translates xml -> awesome. Maven-ish support for sbt.
Scala
75
star
38

sbt-remote-control

Create and manage sbt process using unicorns and forks
Scala
74
star
39

sbt-aspectj

AspectJ sbt plugin
Scala
73
star
40

sbt-scalabuff

SBT plugin which generate case classes and support for serialization from Google Protocol Buffer definitions using ScalaBuff
Scala
72
star
41

contraband

http://www.scala-sbt.org/contraband/
Scala
68
star
42

sbt-s3

sbt-s3 is a simple sbt plugin to manipulate objects on Amazon S3
Scala
62
star
43

sbt-multi-jvm

Multi-JVM testing in sbt
Scala
56
star
44

sbt-javaagent

sbt plugin for adding java agents to projects
Scala
54
star
45

sbt-paradox-material-theme

Material Design theme for Paradox
StringTemplate
51
star
46

sbt-cpd

Copy & Paste Detector plugin using PMD for sbt.
Scala
49
star
47

sbt-osgi

sbt plugin for creating OSGi bundles
Scala
47
star
48

sbt-findbugs

FindBugs static analysis plugin for sbt.
Scala
47
star
49

sbt-man

Looks up scaladoc.
Scala
46
star
50

librarymanagement

librarymanagement module for sbt
Scala
46
star
51

sbt-less

Scala
42
star
52

ipcsocket

IPC: Unix Domain Socket and Windows Named Pipes for Java
Java
42
star
53

io

IO module for sbt
Scala
41
star
54

sbt-js-engine

Support for sbt plugins that use JavaScript
Scala
40
star
55

launcher

The sbt launcher as its own project. Can launch any ivy/maven published project with a main class, with some fancy features.
Scala
40
star
56

sbt-autoversion

Scala
35
star
57

sbt-digest

sbt-web plugin for checksum files
Scala
31
star
58

sbt-jupiter-interface

Implementation of SBT's test interface for JUnit Jupiter
Java
30
star
59

sbt-avro

sbt plugin for compiling Avro schemas, similar to sbt-protobuf
Scala
29
star
60

sbt-slash

unified slash syntax for both shell and build.sbt
Scala
29
star
61

sbt-java-formatter

An sbt plugin for formating Java code
Scala
27
star
62

sbt-gzip

sbt-web plugin for gzipping assets
Scala
25
star
63

sbt-unique-version

emulates Maven's uniqueVersion snapshots
Scala
24
star
64

sbt-pull-request-validator

Plugin that optimizes pull request validation to only validate sub projects that have changed
Scala
23
star
65

sbt.github.com

See https://github.com/sbt/website for the source
HTML
22
star
66

sbt-duplicates-finder

Find classes and resources conflicts in your build
Scala
22
star
67

sbt-autoplugin.g8

giter8 template for sbt 0.13.5+ AutoPlugin
Scala
20
star
68

sbt-cucumber

Cucumber plugin for SBT.
Scala
20
star
69

sbt-jcstress

Trust no-one, and especially not memory visibility.
HTML
19
star
70

sbt-sriracha

Scala
18
star
71

adept

adept helps you find, declare, and download dependencies. http://groups.google.com/group/adept-dev/
18
star
72

sbt-mocha

SBT plugin for running mocha JavaScript unit tests on node
Scala
17
star
73

sbt-multi-release-jar

Support for JDK9's Multi Release JAR Files (JEP 238)
Scala
17
star
74

sbt-xjc

SBT plugin to compile an XML Schema with XJC
Scala
15
star
75

util

util modules for sbt
Scala
15
star
76

sbt-export-repo

exports your dependency graph to a preloaded local repository
Scala
15
star
77

sbt-nocomma

sbt-nocomma reduces commas from your build.sbt.
Scala
13
star
78

serialization

serialization facility for sbt
Scala
13
star
79

sbt-maven-resolver

An sbt plugin to resolve dependencies using Aether
Scala
12
star
80

sbt-core-next

sbt APIs targeted for eventual inclusion in sbt core
Scala
12
star
81

sbt-houserules

House rules for sbt modules.
Scala
12
star
82

sbt-pamflet

sbt plugin to run Pamflet (and Pamflet plugin to run sbt)
Scala
11
star
83

sbt-sdlc

Scaladoc link checker for sbt
Scala
11
star
84

sbt-appbundle

A plugin for the simple-build-tool to create an OS X application bundle.
Scala
10
star
85

bintry

your packages, delivered fresh
Scala
10
star
86

sbt-fmpp

FreeMarker Scala/Java Templating Plugin for SBT
Scala
9
star
87

sbt-ynolub

Scala
9
star
88

sbt-testng

Implementation of the sbt testing interface for TestNG, bundled with an sbt plug-in for convenience.
Scala
9
star
89

sbt-concat

sbt-web plugin for concatenating web assets
Scala
8
star
90

sbt-ant

SBT plug-in to call Ant targets from within SBT builds
Scala
7
star
91

sbtn-dist

Shell
6
star
92

sbt-community-plugins

All community plugins that opt into an uber-build
Scala
6
star
93

sbt-vimquit

an sbt plugin that adds :q command.
Scala
5
star
94

helloworld-one

An example build for sbt 1.0.0.
Scala
5
star
95

sbt-giter8-resolver

Scala
5
star
96

sbt-sequential

adds sequential tasks to sbt
Scala
4
star
97

sbt-scalashim

generates sys.error.
Scala
4
star
98

sbt-experimental

Experimental APIs to fix rough edges in sbt
Scala
3
star
99

sbt-web-build-base

Scala
3
star
100

sbt-validator

Builds sbt 1.0.x against recent versions of the sbt modules
Shell
3
star