We can digitally sign artifacts in Gradle with the signing plugin. The plugin supports generating Pretty Good Privacy (PGP) signatures. This signature format is also required for publication to Maven Central Repository. To create a PGP signature, we must install a few PGP tools on our computer. Installation of the tools is different for each operating system. On Unix-like systems, the software is probably available via a package manager. With the PGP software, we need to create a key pair that we can use to sign artifacts.
To sign artifacts, we must apply the signing plugin to our project. Then we must configure the plugin using a
signing configuration block. We need to at least add information about our PGP key pair. We need the hexadecimal representation of the public key, the path to the secret key ring file with our private key, and the passphrase used to protect the private key. We assign this information to the
password properties of the...