Release artifacts are signed. This is handled by the GitHub workflow.

To test the creation of signed artifacts on the local machine, follow steps below:

• Change property VERSION_NAME in gradle.properties so that it does not end with -SNAPSHOT. Whenever the version ends with -SNAPSHOT, the artifacts are never signed. Make sure that this change is not committed.
• Use GPG to generate a key. Maven requires a RSA key of at least 4096 bits. Most likely it does not matter for local publication whether this is used. Execute command:

  gpg --full-gen-key
  

  • Please select what kind of key you want: 1) RSA - RSA
  • What keysize do you want? 4096
  • Key is valid for? 0 (does not expire)
  • Real-name: ktlint-test
  • Email address: ktlint-test@nowhere.com
  • Comment: Test signing of ktlint artifacts on local machine only
  • Passphrase: i-will-try-no-to-forget-this-passphrase
  • The output ends with something like

  pub   rsa4096 2023-10-08 [SC]
        5B0ABB03277D2FEB46FE7E8E22D6006063A5D3C3
  uid                      ktlint-test (Test signing of ktlint artifacts on local machine only) <ktlint-test@nowhere.com>
  sub   rsa4096 2023-10-08 [E]
  

• Execute all commands below in the same terminal

  export ORG_GRADLE_PROJECT_signingInMemoryKeyId="63A5D3C3" # Last 8 characters of full id of the public key generated by gpg command above
  export ORG_GRADLE_PROJECT_signingInMemoryKeyPassword="i-will-try-no-to-forget-this-passphrase"
  # Command below will export the armored GPG signing key and store it in an environment variable. Note that this command will ask for the password (see ORG_GRADLE_PROJECT_signingKeyPassword).
  export ORG_GRADLE_PROJECT_signingInMemoryKey="$(gpg --export-secret-keys --armor $ORG_GRADLE_PROJECT_signingInMemoryKeyId | tail -r | tail -n +3 | tail -r | tail -n +3 | tr -d '\n')"
  

• Execute the Gradle publication (this can not be combined with the export statements above because of the manual input of the passphrase)

  ./gradlew publishToMavenLocal