Sign plugin releases with PGP

Currently, the plugin is not signed, so dependency verification has to use checksums.

See:
* https://docs.gradle.org/current/userguide/dependency_verification.html

---

Note: if you release with GitHub Actions workflow, then you can generate PGP key and keep it in GitHub secrets.
See: https://github.com/vlsi/provision-release-pgp-key

The idea is that you add a workflow to trigger key provisioning like in https://github.com/pgjdbc/pgjdbc/blob/ee09a2f3bf2cb9031e2e325503281f2c1b2d4761/.github/workflows/pgp-key-maintenance.yaml
Then you manually trigger it and it generates and stores the key to GitHub variables. The same workflow can extends the key lifetime.



Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Sign plugin releases with PGP #341

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Sign plugin releases with PGP #341

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions