Add GPG signing to Wren releases

Ironically, PGPVerify doesn't default to signing their own releases... Signed-off-by: Kortanul <[email protected]>
WrenSecurity · May 29, 2018 · 7c9043e · 7c9043e
1 parent 1cf2604
commit 7c9043e
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/pom.xml b/pom.xml
@@ -304,4 +304,31 @@
         </plugins>
     </reporting>
 
+    <profiles>
+        <profile>
+            <id>sign</id>
+            <build>
+                <plugins>
+                    <!-- We want to sign the artifact, the POM, and all attached artifacts -->
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-gpg-plugin</artifactId>
+                        <configuration>
+                            <passphrase>${gpg.passphrase}</passphrase>
+                            <useAgent>true</useAgent>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <id>sign-artifacts</id>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
 </project>