GPG signing
Configuring automatic signatures for your releases
About
KickstartFX can automatically sign any release artifacts in the publishing pipeline with your GPG key if configured correctly. This enhances security and assures users that the release artifacts were indeed generated by you, or at least someone with access to your private GPG key.
In an ideal world, where the GPG key is not leaked or stolen, and your account with the stored GPG key credentials is not taken over, this can guarantee that the release you built was not altered by someone else, at least if the user verifies the signature.
Configuration
To use this feature, you need:
- Your private GPG key, formatted as armored ASCII (.asc format, not the .gpg format)
- Your private GPG key short ID (8 hex digits)
- Your optional GPG key passphrase
First, create an environment variable GPG_KEY with the contents of the private GPG key in text form. The text should have the form BEGIN PGP PRIVATE KEY BLOCK .... Then, create an environment variable GPG_KEY_ID with the short ID of your GPG key. Finally, if your key has a passphrase, create the environment variable GPG_KEY_PASSWORD with the password.
In the root build.gradle, set the variable signingEnabled to true to make the GitHub actions workflow perform the signing tasks.