sigstore-maven-plugin

This is a Maven plugin that can be used to use the “keyless” signing paradigm supported by Sigstore. This plugin is still in early phases, then has known limitations described below.

sign

      <plugin>
        <groupId>io.github.hboutemy</groupId>
        <artifactId>sigstore-maven-plugin</artifactId>
        <version>1.0.0-beta-3</version>
        <executions>
          <execution>
            <id>sign</id>
            <goals>
              <goal>sign</goal>
            </goals>
          </execution>
        </executions>
      </plugin>

Notes:

  • GPG: Maven Central publication rules require GPG signing each files: to avoid GPG signing of .sigstore files, just use version 3.1.0 minimum of maven-gpg-plugin.
  • .md5/.sha1: to avoid unneeded checksum files for .sigstore files, use Maven 3.9.2 minimum or create .mvn/maven.config file containing -Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore

Known limitations:

  • Maven multi-module build: each module will require an OIDC authentication,
  • 10 minutes signing session: if a build takes more than 10 minutes, a new OIDC authentication will be required each 10 minutes.

jarsign

You can sign JAR file with Sigstore and jarsigner.

Full jarsign goal documentation is available here, but you can quickly take advantage of the plugin by adding the following configuration into your Maven pom.xml file:

      <plugin>
        <groupId>dev.sigstore</groupId>
        <artifactId>sigstore-maven-plugin</artifactId>
        <version>1.0-SNAPSHOT</version>
        <executions>
          <execution>
            <id>sigstore-jarsign</id>
            <goals>
              <goal>jarsign</goal>
            </goals>
            <!-- optional configuration parameters; sensible defaults are chosen
            <configuration>
              <emailAddress>YOUR-EMAIL-ADDRESS-HERE</emailAddress>
              <outputSigningCert>signingCert.pem</outputSigningCert>
              <sslVerification>false</sslVerification>
            </configuration>
            -->
          </execution>
        </executions>
      </plugin>