From c2466531216400dedc36bfd9708747260a1cc717 Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Wed, 26 Jul 2023 11:41:08 +0200 Subject: [PATCH 1/4] #35 Do not hard code volatile key id in docs Signed-off-by: Sven Strittmatter --- release.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/release.md b/release.md index c6eb3cb7..b5c85512 100644 --- a/release.md +++ b/release.md @@ -61,7 +61,7 @@ gpg --import private.key #### For GitHub Actions ```shell -gpg --armor --export-secret-keys 40AA7D29EB6DE0667D7E723ADE4725604A739BAF +gpg --armor --export-secret-keys $KEYID ``` In the GitHub Secrets [1], add the output of this command to the `SIGNING_KEY` secret. @@ -83,7 +83,7 @@ For example: #### For Password Manager ```shell -gpg -o private.key --export-secret-key 40AA7D29EB6DE0667D7E723ADE4725604A739BAF +gpg -o private.key --export-secret-key $KEYID ``` ### Expiration @@ -97,8 +97,8 @@ To remember, we added an appointment to the team calendar. 1. Download the private key file `private.key` from password manager 2. Import it locally: `gpg --import private.key` -3. Select the key : `gpg --edit-key 40AA7D29EB6DE0667D7E723ADE4725604A739BAF` -4. Now select the Subkey and set the expire date (use `2y` for two years): +3. Select the key : `gpg --edit-key $KEYID` +4. Now select the subkey and set the expire date (use `2y` for two years): ```shell gpg> key 1 gpg> expire From 881717d472e2bff00dc3b836bd07b691130c89d0 Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Wed, 26 Jul 2023 11:41:35 +0200 Subject: [PATCH 2/4] #35 Remove done todos Signed-off-by: Sven Strittmatter --- release.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/release.md b/release.md index b5c85512..c6a8b6a7 100644 --- a/release.md +++ b/release.md @@ -88,10 +88,7 @@ gpg -o private.key --export-secret-key $KEYID ### Expiration -It is recommended to use an expiration date less than two years. -We use an interval of **two years**. -This means that we need to extend the expiration date every two years! -To remember, we added an appointment to the team calendar. +It is recommended to use an expiration date less than two years. We use an interval of **two years**. This means that we need to extend the expiration date every two years! We use an appointment of the secureCodeBox team calendar which to remind us. #### How to extend the expiration date? @@ -109,9 +106,5 @@ gpg> save ``` 6. Update the private key in out password manager and GitHub Secrets -## TODOs - -- Do we need to import the public key in sonatype? - [1]: https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/GitHub-Actions-Secrets-Example-Token-Tutorial [2]: https://help.sonatype.com/iqserver/managing/user-management/user-tokens From a9bd9155b3da03a5e83d77f78618176bf522d81d Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Wed, 26 Jul 2023 11:58:39 +0200 Subject: [PATCH 3/4] #35 Refine the release documentation Signed-off-by: Sven Strittmatter --- release.md | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/release.md b/release.md index c6a8b6a7..0063ccb6 100644 --- a/release.md +++ b/release.md @@ -2,11 +2,9 @@ Here we describe all the ceremonial stuff necessary to publish a Java library to Maven Central. - ## Credentials -Publishing to Maven Central requires authentication in the form of a username-password or an User Token (as username and password). -We use User Tokens [2] for authentication, which are stored in our password manager. +Publishing to Maven Central requires authentication in the form of username and password or user token (as username and password). We use [user tokens][user-token] for authentication, which are stored in our password manager. ### Local (on device) @@ -14,9 +12,7 @@ The `MAVEN_USERNAME` and `MAVEN_PASSWORD` environment variable needs to be set o ### GitHub Actions -In the GitHub Secrets [1], we need to add two secrets called `MAVEN_USERNAME` and `MAVEN_PASSWORD` (Github enforces a leading `SECRET_TOKEN`). -They can be accessed in a yaml file with `${{ secrets.MAVEN_USERNAME }}` and `${{ secrets.MAVEN_PASSWORD }}`. -We pass both these secrets in the `env` block. +In the [GitHub Secrets][gh-secrets], we need to add two secrets called `MAVEN_USERNAME` and `MAVEN_PASSWORD`. They can be accessed in a yaml file with `${{ secrets.MAVEN_USERNAME }}` and `${{ secrets.MAVEN_PASSWORD }}`. We pass both these secrets in the `env` block. For example: @@ -30,7 +26,7 @@ For example: ## GPG Guide for Maven Signing -This guide is based on [Working with PGP Signatures](https://central.sonatype.org/publish/requirements/gpg/) and [OpenPGP Best Practices](https://riseup.net/ru/security/message-security/openpgp/gpg-best-practices). +This guide is based on [Working with PGP Signatures][pgp-signatures] and [OpenPGP Best Practices][pgp-best-practices]. ### About our key @@ -50,7 +46,7 @@ gpg --full-generate-key ### Import the private key -Download private key from password manager and import it locally +Download private key from password manager and import it locally: ```shell gpg --import private.key @@ -64,10 +60,8 @@ gpg --import private.key gpg --armor --export-secret-keys $KEYID ``` -In the GitHub Secrets [1], add the output of this command to the `SIGNING_KEY` secret. -Additionally, you must add the corresponding password in as `SIGNING_PASSWORD`. -Both can be accessed in a yaml file with `${{ secrets.SIGNING_KEY }}` and `${{ secrets.SIGNING_PASSWORD }}`. -We pass both these secrets in the `env` block- +In the [GitHub Secrets][gh-secrets], add the output of this command to the `SIGNING_KEY` secret. +Additionally, you must add the corresponding password as `SIGNING_PASSWORD`. Both can be accessed in a YAML file with `${{ secrets.SIGNING_KEY }}` and `${{ secrets.SIGNING_PASSWORD }}`. We pass both these secrets in the `env` block. For example: @@ -77,7 +71,6 @@ For example: env: SIGNING_KEY: ${{ secrets.SIGNING_KEY }} SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} - ... ``` #### For Password Manager @@ -88,14 +81,14 @@ gpg -o private.key --export-secret-key $KEYID ### Expiration -It is recommended to use an expiration date less than two years. We use an interval of **two years**. This means that we need to extend the expiration date every two years! We use an appointment of the secureCodeBox team calendar which to remind us. +It is recommended to use an expiration date less than two years. We use an interval of **two years**. This means that we need to extend the expiration date every two years! We use an appointment of the secureCodeBox team calendar to remind us. #### How to extend the expiration date? 1. Download the private key file `private.key` from password manager 2. Import it locally: `gpg --import private.key` 3. Select the key : `gpg --edit-key $KEYID` -4. Now select the subkey and set the expire date (use `2y` for two years): +4. Now select the subkey and set the expiry date (use `2y` for two years): ```shell gpg> key 1 gpg> expire @@ -106,5 +99,7 @@ gpg> save ``` 6. Update the private key in out password manager and GitHub Secrets -[1]: https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/GitHub-Actions-Secrets-Example-Token-Tutorial -[2]: https://help.sonatype.com/iqserver/managing/user-management/user-tokens +[gh-secrets]: https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/GitHub-Actions-Secrets-Example-Token-Tutorial +[user-token]: https://help.sonatype.com/iqserver/managing/user-management/user-tokens +[pgp-signatures]: https://central.sonatype.org/publish/requirements/gpg/ +[pgp-best-practices]: https://riseup.net/ru/security/message-security/openpgp/gpg-best-practices From 5552bd4605bd89a7f118d3ec0c33d7cc8e9c0589 Mon Sep 17 00:00:00 2001 From: Sven Strittmatter Date: Wed, 26 Jul 2023 11:59:20 +0200 Subject: [PATCH 4/4] #35 Move into docs folder bc we will add screenshots to the docs Signed-off-by: Sven Strittmatter --- release.md => docs/release.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename release.md => docs/release.md (100%) diff --git a/release.md b/docs/release.md similarity index 100% rename from release.md rename to docs/release.md