Sign artifacts in build instead of in bintray. #1778
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
anuraaga
requested review from
iNikem,
jkwatson,
mateuszrzeszutek,
trask and
tylerbenson
as code owners
anuraaga
force-pushed
the
gpg-sign-artifacts
branch
from
a488baa to
0bba68a
Compare
Contributor
|
I don't have any opinion about that :( But for some reason I don't believe it will help us with Bintray. |
schmikei
pushed a commit
to schmikei/opentelemetry-java-instrumentation
that referenced
this pull request
Apr 17, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We don't have to do this, but figured I'd whip it up as an idea.
This configures the build to sign artifacts instead of using Bintray's global key. This allows users to verify that the signing key is indeed owned by OTel (perhaps using Nexus Pro and a strict verification policy), possibly reduces some load on Bintray during publishing, and gives some flexibility if we want to try other publishing options.
For now, I just made a key for OpenTelemetry Java
gpg --keyserver hkp://pool.sks-keyservers.net --recv-keys 3F05DDA9F317301E927136D417A27CE7A60FF5F0We can change the key as we want to - not sure if it makes sense to have a global GPG key for OTel or stick with one for OTel Java. Otherwise, I'd need a way to share this key with other maintainers, especially the revocation key.