Yes, this is actually worked on in ticket https://github.com/gradle/gradle/issues/4943 which currently is part of milestone “4.8 RC1” so it might soon be easy.
While it actually is not that hard to do properly right now.
Some of the hoops others described in linked sites here are not necessary though.
You just have to apply the signing
plugin, and do signing { sign configurations.archives }
.
Then you add the JARs and the JAR and POM signatures to the publication and set the packaging with
publishing {
publications {
maven(MavenPublication) { publication ->
from components.java
artifact javadocJar
artifact sourcesJar
signArchives.signatures.each { signature ->
artifact(signature) {
extension signature.type
}
}
artifact(file("$buildDir/publications/$publication.name/pom-default.xml.asc")) {
extension 'pom.asc'
builtBy signArchives
}
pom {
packaging 'jar'
}
}
}
}
And finally take care about the POM being actually signed with
tasks.withType(GenerateMavenPom) {
signArchives.dependsOn it
signArchives.sign it.outputs.files.singleFile
}
That’s all that is necessary
The only dark part in this is the semi-hard-coding of the POM signature file path, as the GenerateMavenPom
are added to the build at a time where the publishing
extension cannot be modified anymore, so its configuration cannot be used for this.