This is a straw-man proposal to document the signing process to push milestones and releases to Maven Central. Please correct any false or unclear information given here, in particular parts that are marked in bold.
It is important for the project to distribute milestones and releases to Maven Central because most people will want to pull in their dependencies from there. This requires the builds to be signed using GPG, which is usually done using the private key of the committer who performs the release locally on his own machine.
The above process is problematic when within a company network. Furthermore, it is desirable to have a reproducible publishing process in place that can be triggered by any committer, always yielding the same result, i.e. independent from which person actually triggered the process. The Eclipse Foundation provides the facility to sign JAR files and also Windows and OS X applications with the Foundation's certificate. However, it does not provide any facility so far to GPG sign artifacts. Thus, we use the following signing process for the Californium project to distribute milestone and release builds through the HIPP:
- Eclipse webmaster creates the GPG key pair for signing on the HIPP using email@example.com
- GPG key is kept in the home directory of the genie account of the HIPP
- All committers sign the GPG key with their (personal) keys
- Staging repo credentials and passphrase are stored in encrypted form in the Maven settings.xml file (requires settings-security.xml)
- HIPP polls Git repo to trigger Milestone and/or Release builds
- To invalidate and/or replace the key through the webmaster, a majority vote by the committers is required
Using the Hudson Instance
The HIPP already supports GPG. It can poll the Git repository at a chosen rate and trigger Milestone and/or Release builds, which automatically deploy the created artifacts to oss.sonatype.org (and thus to Maven Central).
For this, we need to specify the Maven Central staging repo credentials and the GPG key passphrase in the Maven settings.xml file. Both can be provided in "encrypted" through a master password defined in the settings-security.xml file (see https://maven.apache.org/guides/mini/guide-encryption.html).
The GPG key pair is created by the Eclipse webmaster using the mailing list address of the project (firstname.lastname@example.org). It is then installed in the keyring.
The primary GPG key is stored in the home directory of the genie account (genie.californium). It is a normal login-less user account that runs builds on behalf of the project.
Californium committers sign this key with their (personal) keys in order to improve trustworthiness.
The key should expire after recommended time. If something goes wrong, a majority vote by the committers should be required to invalidate and/or replace the key through the webmaster.
Thanh Ha recommended that the trusted builds are built from trusted commits/tags, which are signed by a committer key. How do committers sign these?