| title | Pushing Sigstore Attestations to Maven Central on Release |
|---|
You need a project, a GitHub repository, and releases done with GitHub Actions. You also need a sigstore plugin that supports your build system. Here we show how to do it with maven and sigstore-maven-plugin.
-
Add a plugin to your pom.xml. If you have a different build system, you can find the appropriate plugin here: https://docs.sigstore.dev/language_clients/language_client_overview/.
<properties> <sigstore.skip>true</sigstore.skip> </properties>
<build> <plugins> <plugin> <groupId>dev.sigstore</groupId> <artifactId>sigstore-maven-plugin</artifactId> <version>1.3.0</version> <configuration> <skip>${sigstore.skip}</skip> </configuration> <executions> <execution> <id>sign</id> <goals> <goal>sign</goal> </goals> </execution> </executions> </plugin> </plugins> </build>
This will create a
<filename>.sigstore.jsonwith the attestation during thesignbuild step. We add the optional propertysigstore.skipto make the default to not sign (for easier local development). Signing is then enabled during deployment builds using the maven argument:-Dsigstore.skip=false. -
(GitHub) Add the
id-tokenpermission to your release job in GitHub Actions.jobs: build: name: Build and release permissions: id-token: write [...]
This enables OIDC authentication for the release job, which is required for signing artifacts with sigstore. For additional details, see the documentation for sigstore-maven-plugin.
-
(Maven Central) JReleaser automatically uploads the
<filename>.sigstore.jsonfiles to Maven Central. -
Make a release :) The final result looks like this on Maven Central: https://repo1.maven.org/maven2/io/github/chains-project/maven-lockfile/5.8.2/.