GPG key in order to publish

Hi guys, I am new with java development. I have finished my library and I have used gradle in order to build and publish it.
I want to publish to sonatype which as I understand will make it public.
In order to achieve that I have generated a gpg key, exported it with --armor and pasted the contents to github secrets.
My issue is when I try to read it back from github repo secrest it fails.
Is there a workaround for this?

hey @jkvargas , take a look at plantuml workflow file which reads it back and uses it:

signing {

and in the workflow file:

      - name: Setup gpg
        if: env.ARTIFACT_SIGNING_KEY
        id: gpg
        run: |
          echo "Importing key ..."
          echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --import --import-options import-show
          echo "Getting key id ..."
          key_id="$(echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --show-keys --with-colons | awk -F: '$1 == "sec" { print $5 }')"
          echo "::set-output name=key_id::${key_id}"
      - name: Sign artifacts
        if: env.GPG_KEYNAME
          GPG_KEYNAME: ${{ steps.gpg.outputs.key_id }}
        run: |
          gradle sign \
            "-Psigning.gnupg.keyName=${GPG_KEYNAME}" \

I will try it out, @soloturn.
By the way, did you just ctrl+c, ctrl+v the contents of your key into the github secrets site?

i guess i did the same as you, export it:

Why that complex with importing and exporting and extracting and so on?
Gradle has much better support for the GitHub Actions use-case.
That’s exactly what signing { useInMemoryPgpKeys(...) } is for.
You can directly provide the ascii-armored secret key to Gradle with that.

1 Like

i guess one has to decide for local complication or github complication in this case. i saw now that putting the key into the file would be the way to make it work on both. so you mean doing something like ths?

gpg --export-secret-keys --armor AABBCCDD > AABBCCDD.asc
signingKey=-----BEGIN PGP PRIVATE KEY BLOCK-----\n\nescaped key\n-----END PGP PRIVATE KEY BLOCK-----\n
signing {
	if (hasProperty("signingPassphrase")) {
		val signingKey: String? by project
		val signingPassphrase: String? by project
		useInMemoryPgpKeys(signingKey, signingPassphrase)
    name: Publish Artifacts
    needs: [build]
    if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
        - uses: actions/checkout@v2
        - name: Set up JDK 8
          uses: actions/setup-java@v2
            java-version: '8'
            distribution: 'temurin'
        - name: Publish with Gradle
            ORG_GRADLE_PROJECT_sonatypePassword: ${{ secrets.SONATYPE_PASSWORD }}
            ORG_GRADLE_PROJECT_sonatypeUsername: ${{ secrets.SONATYPE_USERNAME }}
            ORG_GRADLE_PROJECT_signingKey: ${{ secrets.PGP_SECRET }}
            ORG_GRADLE_PROJECT_signingPassphrase: ${{ secrets.PGP_PASSPHRASE }}
          run: ./gradlew publishToSonatype

What do you mean with that?
If you want to publish signed both, from local and CI, you can also do logic like “if property is set, use in memory, if not use gpg command”. Or “if GitHub, use in memory, if not use gpg command”. Or similar logic.

1 Like

Great progess,

plugins {
    id 'java-library'
    id 'jvm-test-suite'
    id 'maven-publish'
    id 'signing'

group 'com.evervault'
version '1.0-SNAPSHOT'

repositories {

def getRepositoryUsername() {
    return hasProperty("ossrhUsername") ? ossrhUsername : ""

def getRepositoryPassword() {
    return hasProperty("ossrhPassword") ? ossrhPassword : ""

def getKeyFile() {
    return hasProperty("signingKey") ? signingKey : ""

def getKeyPassword() {
    return hasProperty("signingPassword") ? signingPassword : ""

dependencies {
    testImplementation 'org.junit.jupiter:junit-jupiter:5.7.2'
    testImplementation "com.github.tomakehurst:wiremock-jre8:2.32.0"
    testImplementation "org.mockito:mockito-core:3.+"

    implementation ''
    implementation group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.70'

java {

testing {
    suites {
        test {
        integrationTests(JvmTestSuite) {
            dependencies {
                implementation project
                implementation group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.70'

publishing {
    publications {
        mavenJava(MavenPublication) {

            artifact sourcesJar
            artifact javadocJar

            pom {
                name = 'mycompany'
                description = 'mycompany SDK enabling developers to integrate their applications with mycompany services'
                url = '
                scm {
                    url = ''
                    connection = 'scm:git:ssh://git@github.mycompany/mycompany.git'
                licenses {
                    license {
                        name = 'The MIT License (MIT)'
                        url = ''
                developers {
                    developer {
                        name = 'mycompany'
                        organization = 'mycompany'
                        email = ''
                organization {
                    name = 'mycompany'
                    url = ''
    repositories {
        maven {
            name = 'sonatype'
            def releasesRepoUrl = ''
            def snapshotsRepoUrl = ''
            url = version.endsWith('SNAPSHOT') ? snapshotsRepoUrl : releasesRepoUrl
            credentials {
                username getRepositoryUsername()
                password getRepositoryPassword()

signing {
    useInMemoryPgpKeys(getKeyFile(), getKeyPassword())
    sign publishing.publications.mavenJava

javadoc {
    if(JavaVersion.current().isJava9Compatible()) {
        options.addBooleanOption('html5', true)

Error: -13T15:20:29.068+0000 [ERROR] [org.gradle.internal.buildevents.BuildExceptionReporter] > Invalid publication ‘mavenJava’: multiple artifacts with the identical extension and classifier (‘jar’, ‘sources’).

I suppose my artifacts are not correct.

withJavadocJar() and withSourcesJar() already add those jars to the java component.
And then you add them a second time to the publication manually.
Just remove the manual addition.