Announce: sbt-pgp 2.0.0

I’d like to announce sbt-pgp 2.0.0 for sbt 0.13 and sbt 1.x.

Documentation is moved and improved

The documentation for sbt-pgp is moved to https://github.com/sbt/sbt-pgp (README on GitHub). Please check it out.

Breaking change: Default to use GnuPG (useGpg := true)

sbt-pgp 1.x had useGpg set to false , which used Bouncy Castle a Java library for signing etc, but there’s a growing feature disparities between the pure Java Bouncy Castle implementation and GnuPG ( gpg ).

sbt-pgp 2.0.0 flips the default to use the locally installed gpg . #146 by @eed3si9n

This is overridable from the system property SBT_PGP_USE_GPG :

$ sbt -DSBT_PGP_USE_GPG=false

In addition, useGpgAgent setting also defaults to true , which should reduce the need to store passphrases in the plain.

We should also consider migrating to sbt-gpg. It is a new plugin that is being developed by Jakob Odersky that is designed around using gpg . We encourage you to try sbt-gpg, and report/fix any issues found in the plugin.

Breaking change: Bouncy Castle mode is now deprecated

We no longer recommend the Bouncy Castle mode. Related, pgp-cmd command has been removed. See Importing key pair on how to migrate old key pair into gpg .

Breaking change: camel case key name

sbt-pgp 1.x had camelCase in the build.sbt , but kebab-case in the sbt shell.
sbt-pgp 2.0.0 unifies them to camelCase.

Breaking change: package name change

The package name is changed from com.typesafe.sbt.pgp to com.jsuereth.sbtpgp to match the organization of the artifact. If the build user enables sbt-pgp 2.0.0 globally, this might show up as:

[error] /Users/xxx/work/playframework/project/BuildSettings.scala:7:21: object sbt is not a member of package com.typesafe
[error] import com.typesafe.sbt.pgp.PgpKeys
[error]                     ^

Signing Key

By default, all signing operations will use gpg’s default key. Following the convention set by jodersky/sbt-gpg, specific key can now be used by setting sbt Credentials for the host "gpg" , instead of usePgpKeyHex(...) :

credentials += Credentials(
  "GnuPG Key ID",
  "gpg",
  "2BE67AC00D699E04E840B7FE29967E804D85663F", // key identifier
   "ignored" // this field is ignored; passwords are supplied by pinentry
)

pgpKeyRing key

Instead of reusing Bouncy Castle settings, sbt-pgp 2.0.0 adds a new optional key pgpKeyRing to override the key ring. This is set to None by default. #166 by @eed3si9n

PGP_PASSPHRASE environment variable

Following the convention set by olafurpg/sbt-ci-release, sbt-pgp 2.0.0 will automatically use the value set to PGP_PASSPHRASE as the passphrase. #165 by @eed3si9n

sbt-pgp 1.x has provided ways of storing passphrase using pgpPassphrase or in the credentials, but we no longer recommend using these methods on your laptop.

pinentry support

Adds a pinentry option to sbt-pgp, by using the --pinentry-mode loopback option.

Adds a useGpgPinentry boolean key that if set with useGpg and useGpgAgent set, will use a specialized signer CommandLineGpgPinentrySigner . #142 by @wsargent

See also the documentation for Tag Driven Releasing, an automated release process Scala team uses, updated to sbt-pgp 2.0.0.