You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@solr.apache.org by ho...@apache.org on 2021/04/21 18:06:03 UTC
[solr] branch main updated: SOLR-15361: Add gpg signing of the tgz
& zip distribution files
This is an automated email from the ASF dual-hosted git repository.
hossman pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr.git
The following commit(s) were added to refs/heads/main by this push:
new 3672c33 SOLR-15361: Add gpg signing of the tgz & zip distribution files
3672c33 is described below
commit 3672c330e63ab250635a07f98b71f4620b9fd68c
Author: Chris Hostetter <ho...@apache.org>
AuthorDate: Wed Apr 21 11:05:27 2021 -0700
SOLR-15361: Add gpg signing of the tgz & zip distribution files
---
help/gpgSigning.txt | 33 +++++++++++++++++++++++++++++++++
solr/packaging/build.gradle | 12 ++++++++++++
2 files changed, 45 insertions(+)
diff --git a/help/gpgSigning.txt b/help/gpgSigning.txt
new file mode 100644
index 0000000..9733aec
--- /dev/null
+++ b/help/gpgSigning.txt
@@ -0,0 +1,33 @@
+GPG Signing
+===========
+
+GPG Signing of distribution files (typically by a release manager) is done with the 'signDist' command.
+
+The only required configuration property gradle needs is the 'signing.gnupg.keyName' (aka: the fingerprint) of
+the key you wish to use:
+
+./gradlew signDist -Psigning.gnupg.keyName=4DDFABAF68C0F906B76CD9A09C784577F8F58E19
+
+By default when you run this command, gradle will delegate to the `gpg2` command for managine the signing of each file,
+which (should) in turn use the `gpg-agent` (if configured on your system) to prompt you for your secret key only as
+needed based on your gpg-agent prefrences.
+
+You may wish to put the `signing.gnupg.keyName` in your `~/.gradle/gradle.properties` so it is set automatically any time you use gradle
+
+Additional Configuration
+------------------------
+
+The following additional properties may be useful/neccessary in your system:
+
+signing.gnupg.useLegacyGpg=true # Controls wgether GnuPG v1 (`gpg`) or v2 (`gpg2`) is used
+signing.gnupg.executable=gpg.exe # Allows explicit control over what command executable used
+signing.gnupg.homeDir=/tmp/gnupg-home # overrides GnuPG's default home directory
+signing.gnupg.optionsFile=/tmp/gnupg-home/my.conf # overrides GnuPG's default configuration file
+
+
+Note About Error Messages
+-------------------------
+
+If you see an error message that says: `No value has been specified for property 'signatory.keyId'.` please read below...
+
+Do not bother attempting to set a command line (or gradle.properties) property named `signatory.keyId`. This is evidently the name of an internal property that the gradle `SigningPlugin` expects the `GnupgSignatory` plugin we use to provide -- which it does as long as you have specified a valid value for `signing.gnupg.keyName`
diff --git a/solr/packaging/build.gradle b/solr/packaging/build.gradle
index 1a15ce4..4e7d17d 100644
--- a/solr/packaging/build.gradle
+++ b/solr/packaging/build.gradle
@@ -21,6 +21,7 @@
plugins {
id 'base'
id 'distribution'
+ id 'signing'
}
description = 'Solr distribution packaging'
@@ -42,6 +43,11 @@ configurations {
docker
}
+signing {
+ useGpgCmd() // so gpg-agent can be used
+ sign distTar, distZip
+}
+
dependencies {
distSolrj project(":solr:solrj")
@@ -155,3 +161,9 @@ task dev(type: Copy) {
}
assemble.dependsOn installDist
+
+task signDist {
+ group = 'Distribution'
+ description = 'GPG Signs the main distributions'
+ dependsOn signDistTar, signDistZip
+}