Search code examples
androidandroid-studioandroid-librarybintrayjcenter

How GPG signing and verification works?

I have added Public Key and Private Key for GPG signing in Bintray. As per the document the uploaded content will be signed automatically using Private Key.

GPG signing allows you to automatically sign your uploaded content. You can find more information in the documentation.

And as per the documentation, users can verify the content by using the Public Key.

GPG signing is an optional feature of Bintray that allows the publisher of uploaded material to sign it so it can be verified as authentic and original by the users.

How this verification can actually done by users?

For example:

In Android Studio following dependency is added in build.gradle

compile 'com.example.test:test:0.0.1'

  • How this dependency is verified and where i have to add the public key for verification?

  • If verification should done through terminal with gpg command, where i will get the .aar?

Solution

  • After reading a lot of tutorials about loading an Android libraries in BinTray, I still did not understand why I needed a PGP key.

    Here's what I understood:

    If you need to upload Android library to jCenter and use it as Gradle dependency you really don't need to provide any PGP key into your BinTray account. Just upload lib with Android Studio and then click: Add to jCenter.

    But if you want to add your lib to Maven Central you must (but maybe I'm wrong) sign it with PGP key.

    In BinTray documentation:

    Using the optional GPG Signing feature (currently available for Maven repositories) to sign your material so that it can be verified as authentic and original by other users.

    Your questions:

    How this dependency is verified and where i have to add the public key for verification?

    If you upload you lib with Android Studio and want to add it to Maven Central you have to add the public key into library build.gradle file. There is a lot of tutorials how to do that.

    If verification should done through terminal with gpg command, where i will get the .aar?

    Verification is happens when someone upload library to Maven Central (BinTray). Maven Central (BinTray) check if library is uploaded by owner (o someone who have PGP passphrase).