Skip to content

sigstore-gradle

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

sigstore-gradle

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
sigstore-gradle-sign-base-plugin
sigstore-gradle-sign-base-plugin
 
 
sigstore-gradle-sign-plugin
sigstore-gradle-sign-plugin
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

README.md

Gradle Plugin Portal

sigstore-gradle

A Gradle plugin for signing artifacts with Sigstore.

Signature format uses Sigstore bundle JSON as the output format.

Minimum Requirements

  • Java 11
  • Gradle 7.5

Minimal usage

plugins {
    id("dev.sigstore.sign") version "2.1.0"
}

// Automatically sign all Maven publications, using GitHub Actions OIDC when available,
// and browser based OIDC otherwise.

Outputs

For each file to be published an associated <filename>.sigstore.json signature file will be generated

GitHub Actions OIDC support

In order for the required environment variables to be available, the workflow requires the following permissions:

permissions:
  id-token: write
  contents: read

See GitHub documentation for details.

Full configuration

plugins {
    id("dev.sigstore.sign")
}

dependencies {
    // Override sigstore-java clients, this may lead to unexpected behavior
    sigstoreClient("dev.sigstore:sigstore-java:<alternate-version>")
}

How to

Sign Maven publications

plugins {
    id("dev.sigstore.sign")
}
// Default configuration signs Maven publications

Skip signing Maven publications

If you want to avoid automatic signing, consider using dev.sigstore.sign-base plugin:

plugins {
    id("dev.sigstore.sign-base")
}

// Configure SigstoreSignFilesTask tasks as you need

Sign a single file

plugins {
    id("dev.sigstore.sign-base")
}

dev.sigstore.sign.tasks.SigstoreSignFilesTask

val helloProps by tasks.registering(WriteProperties::class) {
    outputFile = file("build/helloProps.txt")
    property("helloProps", "world")
}

val signHelloProps by tasks.registering(SigstoreSignFilesTask::class) {
    // outputFile is File, so helloProps.map {..} is Provider<File>
    signFile(helloProps.map { it.outputFile })
    // Alternative APIs are
    // sign(File)
    // sign(Provider<RegularFile>)
}

val zip by tasks.registering(Zip::class) {
    from(signHelloProps.map { it.singleSignature() })
}

Technical details

Signature format

The signature uses Sigstore bundle JSON stored as .sigstore.json file.

The file includes all the information for offline signature verification.

dev.sigstore.sign plugin

Automatically signs all Maven publications in Sigstore.

dev.sigstore.sign-base plugin

Provides SigstoreSignFilesTask task for signing files in Sigstore. The plugin adds no tasks by default.

Properties:

  • dev.sigstore.sign.remove.sigstore.json.asc (since 0.6.0, default: true). Removes .sigstore.json.asc files from the publication. Sonatype OSSRH supports publishing .sigstore.json signatures, and it does not require .sigstore.json.asc files, so dev.sigstore.sign plugin removes them by default. If you need to sign all the files, set this property to false.

Extensions:

  • sigstoreSign: dev.sigstore.sign.SigstoreSignExtension

    An empty extension that may support configuration in the feature

Configurations:

  • sigstoreClient

    A configuration to declare the version for sigstore-java.

  • sigstoreClientClasspath

    A configuration that resolves sigstore-java dependencies.

Tasks:

  • dev.sigstore.sign.SigstoreSignFilesTask

    Signs entries via Sigstore.