Skip to content

Replace sbt-gpg with sbt-pgp#907

Open
zainab-ali wants to merge 1 commit into
typelevel:mainfrom
zainab-ali:replace-gpg-pgp
Open

Replace sbt-gpg with sbt-pgp#907
zainab-ali wants to merge 1 commit into
typelevel:mainfrom
zainab-ali:replace-gpg-pgp

Conversation

@zainab-ali

Copy link
Copy Markdown

Motivation

See #899.

The sbt-gpg plugin has no commits for the past five years. It's a minimal wrapper over the installed gpg command. Recent versions of sbt-pgp are also wrappers over gpg and support SBT 2.

This PR migrates to sbt-pgp. It replaces sbt-gpg completely. If needed, we could cross-build ciSigning with sbt-pgp for SBT 2. An alternative is to port the sbt-gpg logic directly into ciSigning, or uplift sbt-gpg. All approaches are up for discussion.

Changes to downstream projects

Assuming that downstream projects publish in CI via tlCiRelase, there should be no major changes. Both plugins use the same command to sign artifacts.

There are a few differences:

  • sbt-gpg permitted unsigned snapshot artifacts when gpg keys were missing. With sbt-pgp, snapshots also have to be signed. This shouldn't affect downstream projects, as they should sign snapshot artifacts anyway.
  • sbt-gpg modified the publish task to use signed artifacts. sbt-pgp introduces a new publishSigned task. publish-specific settings (e.g. publish / foo) won't necessarily apply. I haven't found any downstream OSS projects that need this, but it's worth bearing in mind. publish / skip is re-used, so the NoPublish plugin works fine.
  • Both gpg commands are mostly the same, however sbt-gpg adds a --yes option. I don't think this should make a difference, as there shouldn't be any questions asked.
  • sbt-gpg exposes a few settings (gpgCommand, gpgOptions etc.). I haven't found any downstream OSS projects that use these.
  • sbt-pgp pulls in dependencies on bouncycastle and gigahorse. These are not used by default.

Testing

I've verified that tlReleaseLocal produces the same signed artifacts as before. I think we'd need to actually publish an artifact to check the tlCiRelease flow.

@mergify

mergify Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant