Plugin Documentation

Goals available for this plugin:

Goal Description
sigstore:help Display help information on sigstore-maven-plugin.
Call mvn sigstore:help -Ddetail=true -Dgoal=<goal-name> to display parameter details.
sigstore:jarsign Goal which:
  • generates ephemeral key pair
  • gets OIDC token and associated email
  • requests code signing certificate from sigstore Fulcio
  • signs the JAR file (with jarsigner)
  • publishes signed JAR file (that contains the signature per JAR signing spec) to sigstore Rekor
sigstore:sign Sign project artifact, the POM, and attached artifacts with sigstore for deployment.

System Requirements

The following specifies the minimum requirements to run this Maven plugin:

Maven 3.8.8
JDK 11

Usage

You should specify the version in your project's plugin configuration:

<project>
  ...
  <build>
    <!-- To define the plugin version in your parent POM -->
    <pluginManagement>
      <plugins>
        <plugin>
          <groupId>dev.sigstore</groupId>
          <artifactId>sigstore-maven-plugin</artifactId>
          <version>0.5.0-SNAPSHOT</version>
        </plugin>
        ...
      </plugins>
    </pluginManagement>
    <!-- To use the plugin goals in your POM or parent POM -->
    <plugins>
      <plugin>
        <groupId>dev.sigstore</groupId>
        <artifactId>sigstore-maven-plugin</artifactId>
      </plugin>
      ...
    </plugins>
  </build>
  ...
</project>

For more information, see "Guide to Configuring Plug-ins"