diff --git a/SIGNING.md b/SIGNING.md new file mode 100644 index 0000000000..bd816bcbd0 --- /dev/null +++ b/SIGNING.md @@ -0,0 +1,34 @@ +Release artifacts are signed. This is handled by the GitHub workflow. + +To test the creation of signed artifacts on the local machine, follow steps below: + +* Change property `VERSION_NAME` in `gradle.properties` so that it does not end with `-SNAPSHOT`. Whenever the version ends with `-SNAPSHOT`, the artifacts are never signed. Make sure that this change is not committed. +* Use [GPG](https://infra.apache.org/openpgp.html#key-gen-generate-key) to generate a key. Maven requires a RSA key of at least 4096 bits. Most likely it does not matter for local publication whether this is used. Execute command: + ``` + gpg --full-gen-key + ``` + * Please select what kind of key you want: 1) RSA - RSA + * What keysize do you want? 4096 + * Key is valid for? 0 (does not expire) + * Real-name: ktlint-test + * Email address: ktlint-test@nowhere.com + * Comment: Test signing of ktlint artifacts on local machine only + * Passphrase: i-will-try-no-to-forget-this-passphrase + * The output ends with something like + ```text + pub rsa4096 2023-10-08 [SC] + 5B0ABB03277D2FEB46FE7E8E22D6006063A5D3C3 + uid ktlint-test (Test signing of ktlint artifacts on local machine only) + sub rsa4096 2023-10-08 [E] + ``` +* Execute all commands below in the same terminal + ```shell + export ORG_GRADLE_PROJECT_signingKeyId="63A5D3C3" # Last 8 characters of full id of the public key generated by gpg command above + export ORG_GRADLE_PROJECT_signingKeyPassword="i-will-try-no-to-forget-this-passphrase" + # Command below will export the armored GPG signing key and store it in an environment variable. Note that this command will ask for the password (see ORG_GRADLE_PROJECT_signingKeyPassword). + export ORG_GRADLE_PROJECT_signingKey="$(gpg --export-secret-keys --armor $GPG_FULL_KEY_ID | tail -r | tail -n +3 | tail -r | tail -n +3 | tr -d '\n')" + ``` +* Execute the Gradle publication (this can not be combined with the export statements above because of the manual input of the passphrase) + ``` + ./gradlew publishToMavenLocal + ``` diff --git a/ktlint-cli-reporter-baseline/build.gradle.kts b/ktlint-cli-reporter-baseline/build.gradle.kts index 9323b9374e..20d01f531a 100644 --- a/ktlint-cli-reporter-baseline/build.gradle.kts +++ b/ktlint-cli-reporter-baseline/build.gradle.kts @@ -9,3 +9,45 @@ dependencies { testImplementation(projects.ktlintTest) } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli-reporter-baseline") { + pom { + // Old artifact coordinates + groupId = "com.pinterest.ktlint" + artifactId = "ktlint-reporter-baseline" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + artifactId.set("ktlint-cli-reporter-baseline") + version.set("1.0.0") + message.set("artifactId has been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli-reporter-baseline"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +} diff --git a/ktlint-cli-reporter-checkstyle/build.gradle.kts b/ktlint-cli-reporter-checkstyle/build.gradle.kts index 589761a8c4..8e03f53371 100644 --- a/ktlint-cli-reporter-checkstyle/build.gradle.kts +++ b/ktlint-cli-reporter-checkstyle/build.gradle.kts @@ -7,3 +7,45 @@ dependencies { testImplementation(projects.ktlintTest) } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli-reporter-checkstyle") { + pom { + // Old artifact coordinates + groupId = "com.pinterest.ktlint" + artifactId = "ktlint-reporter-checkstyle" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + artifactId.set("ktlint-cli-reporter-checkstyle") + version.set("1.0.0") + message.set("artifactId has been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli-reporter-checkstyle"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +} diff --git a/ktlint-cli-reporter-core/build.gradle.kts b/ktlint-cli-reporter-core/build.gradle.kts index b3bf67cc5b..8cd579de8d 100644 --- a/ktlint-cli-reporter-core/build.gradle.kts +++ b/ktlint-cli-reporter-core/build.gradle.kts @@ -1,3 +1,45 @@ plugins { id("ktlint-publication-library") } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli-reporter-core") { + pom { + // Old artifact coordinates + groupId = "com.pinterest.ktlint" + artifactId = "ktlint-cli-reporter" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + artifactId.set("ktlint-cli-reporter-core") + version.set("1.0.0") + message.set("artifactId has been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli-reporter-core"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +} diff --git a/ktlint-cli-reporter-format/build.gradle.kts b/ktlint-cli-reporter-format/build.gradle.kts index 589761a8c4..fcbfb38074 100644 --- a/ktlint-cli-reporter-format/build.gradle.kts +++ b/ktlint-cli-reporter-format/build.gradle.kts @@ -7,3 +7,45 @@ dependencies { testImplementation(projects.ktlintTest) } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli-reporter-format") { + pom { + // Old artifact coordinates + groupId = "com.pinterest.ktlint" + artifactId = "ktlint-reporter-format" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + artifactId.set("ktlint-cli-reporter-format") + version.set("1.0.0") + message.set("artifactId has been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli-reporter-format"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +} diff --git a/ktlint-cli-reporter-html/build.gradle.kts b/ktlint-cli-reporter-html/build.gradle.kts index 589761a8c4..101f2b4817 100644 --- a/ktlint-cli-reporter-html/build.gradle.kts +++ b/ktlint-cli-reporter-html/build.gradle.kts @@ -7,3 +7,45 @@ dependencies { testImplementation(projects.ktlintTest) } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli-reporter-html") { + pom { + // Old artifact coordinates + groupId = "com.pinterest.ktlint" + artifactId = "ktlint-reporter-html" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + artifactId.set("ktlint-cli-reporter-html") + version.set("1.0.0") + message.set("artifactId has been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli-reporter-html"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +} diff --git a/ktlint-cli-reporter-json/build.gradle.kts b/ktlint-cli-reporter-json/build.gradle.kts index 589761a8c4..baaf09be5a 100644 --- a/ktlint-cli-reporter-json/build.gradle.kts +++ b/ktlint-cli-reporter-json/build.gradle.kts @@ -7,3 +7,45 @@ dependencies { testImplementation(projects.ktlintTest) } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli-reporter-json") { + pom { + // Old artifact coordinates + groupId = "com.pinterest.ktlint" + artifactId = "ktlint-reporter-json" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + artifactId.set("ktlint-cli-reporter-json") + version.set("1.0.0") + message.set("artifactId has been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli-reporter-json"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +} diff --git a/ktlint-cli-reporter-plain-summary/build.gradle.kts b/ktlint-cli-reporter-plain-summary/build.gradle.kts index 589761a8c4..f030b768d7 100644 --- a/ktlint-cli-reporter-plain-summary/build.gradle.kts +++ b/ktlint-cli-reporter-plain-summary/build.gradle.kts @@ -7,3 +7,45 @@ dependencies { testImplementation(projects.ktlintTest) } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli-reporter-plain-summary") { + pom { + // Old artifact coordinates + groupId = "com.pinterest.ktlint" + artifactId = "ktlint-reporter-plain-summary" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + artifactId.set("ktlint-cli-reporter-plain-summary") + version.set("1.0.0") + message.set("artifactId has been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli-reporter-plain-summary"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +} diff --git a/ktlint-cli-reporter-plain/build.gradle.kts b/ktlint-cli-reporter-plain/build.gradle.kts index 589761a8c4..a12c465bdb 100644 --- a/ktlint-cli-reporter-plain/build.gradle.kts +++ b/ktlint-cli-reporter-plain/build.gradle.kts @@ -7,3 +7,45 @@ dependencies { testImplementation(projects.ktlintTest) } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli-reporter-plain") { + pom { + // Old artifact coordinates + groupId = "com.pinterest.ktlint" + artifactId = "ktlint-reporter-plain" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + artifactId.set("ktlint-cli-reporter-plain") + version.set("1.0.0") + message.set("artifactId has been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli-reporter-plain"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +} diff --git a/ktlint-cli-reporter-sarif/build.gradle.kts b/ktlint-cli-reporter-sarif/build.gradle.kts index d50bd55db9..d72c9c1b2c 100644 --- a/ktlint-cli-reporter-sarif/build.gradle.kts +++ b/ktlint-cli-reporter-sarif/build.gradle.kts @@ -8,3 +8,45 @@ dependencies { testImplementation(projects.ktlintTest) } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli-reporter-sarif") { + pom { + // Old artifact coordinates + groupId = "com.pinterest.ktlint" + artifactId = "ktlint-reporter-sarif" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + artifactId.set("ktlint-cli-reporter-sarif") + version.set("1.0.0") + message.set("artifactId has been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli-reporter-sarif"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +} diff --git a/ktlint-cli/build.gradle.kts b/ktlint-cli/build.gradle.kts index 5d39720780..1187702cd8 100644 --- a/ktlint-cli/build.gradle.kts +++ b/ktlint-cli/build.gradle.kts @@ -172,3 +172,46 @@ sdkman { url = "https://github.com/pinterest/ktlint/releases/download/$sdkmanVersion/ktlint-$sdkmanVersion.zip" hashtag = "ktlint" } + +// TODO: Remove in release after ktlint 1.0.1 +publishing { + publications { + create("relocation-ktlint-cli") { + pom { + // Old artifact coordinates ktlint-cli + groupId = "com.pinterest" + artifactId = "ktlint" + version = "0.51.0-FINAL" + + distributionManagement { + relocation { + // New artifact coordinates + groupId.set("com.pinterest.ktlint") + artifactId.set("ktlint-cli") + version.set("1.0.0") + message.set("groupId and artifactId have been changed") + } + } + } + } + } +} + +// TODO: Remove in release after ktlint 1.0.1 +signing { + // Uncomment following line to use gpg-agent for signing + // See https://docs.gradle.org/current/userguide/signing_plugin.html#sec:using_gpg_agent how to configure it + // useGpgCmd() + + val signingKeyId = System.getenv("ORG_GRADLE_PROJECT_signingKeyId") + val signingKey = System.getenv("ORG_GRADLE_PROJECT_signingKey") + val signingPassword = System.getenv("ORG_GRADLE_PROJECT_signingKeyPassword") + useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword) + + // This property allows OS package maintainers to disable signing + val enableSigning = providers.gradleProperty("ktlint.publication.signing.enable").orNull != "false" + + sign(publishing.publications["relocation-ktlint-cli"]) + + isRequired = enableSigning && !version.toString().endsWith("SNAPSHOT") +}