sigstore Maven Plugin – Plugin Documentation

Plugin Documentation

Goals available for this plugin:

Goal	Description
sigstore:help	Display help information on sigstore-maven-plugin. Call `mvn sigstore:help -Ddetail=true -Dgoal=<goal-name>` to display parameter details.
sigstore:jarsign	Goal which: generates ephemeral key pair gets OIDC token and associated email requests code signing certificate from sigstore Fulcio signs the JAR file (with `jarsigner`) publishes signed JAR file (that contains the signature per JAR signing spec) to sigstore Rekor
sigstore:sign	Sign project artifact, the POM, and attached artifacts with sigstore for deployment.

System Requirements

The following specifies the minimum requirements to run this Maven plugin:

Maven	3.8.8
JDK	11

Usage

You should specify the version in your project's plugin configuration:

<project>
  ...
  <build>
    <!-- To define the plugin version in your parent POM -->
    <pluginManagement>
      <plugins>
        <plugin>
          <groupId>dev.sigstore</groupId>
          <artifactId>sigstore-maven-plugin</artifactId>
          <version>0.5.0-SNAPSHOT</version>
        </plugin>
        ...
      </plugins>
    </pluginManagement>
    <!-- To use the plugin goals in your POM or parent POM -->
    <plugins>
      <plugin>
        <groupId>dev.sigstore</groupId>
        <artifactId>sigstore-maven-plugin</artifactId>
      </plugin>
      ...
    </plugins>
  </build>
  ...
</project>

For more information, see "Guide to Configuring Plug-ins"