sigstore-maven-plugin

A Maven plugin for signing artifacts with Sigstore

Signature format uses Sigstore bundle JSON as the output format.

Minimum Requirements

• Java 11
• (optional) maven-gpg-plugin 3.2.5

Minimal usage

      <plugin>
        <groupId>dev.sigstore</groupId>
        <artifactId>sigstore-maven-plugin</artifactId>
        <version>1.3.0</version>
        <executions>
          <execution>
            <id>sign</id>
            <goals>
              <goal>sign</goal>
            </goals>
          </execution>
        </executions>
      </plugin>

Outputs

For each file to be published an associated <filename>.sigstore.json signature file will be generated

GitHub Actions OIDC support

In order for the required environment variables to be available, the workflow requires the following permissions:

permissions:
  id-token: write
  contents: read

See GitHub documentation for details.

Notes:

• GPG: Maven Central publication rules require GPG signing. To avoid GPG signing of .sigstore.json signature files, use version 3.2.5 or higher of maven-gpg-plugin.
• .md5/.sha1: to avoid unneeded checksum files for .sigstore.json files, use Maven 3.9.2 or higher, or create .mvn/maven.config file containing -Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.json

Known limitations:

• Maven multi-module build: each module will require an OIDC authentication,
• 10 minutes signing session: if a build takes more than 10 minutes, a new OIDC authentication will be required each 10 minutes.