RELEASING.md

Releasing

At the moment, this release only the sigstore-java library

Creating a release

Use the action "Tag and Build Release" with the version (ex 0.5.3) to create a new release on github. It will

• tag main (or a branch) with v0.5.3
• create a new release with name v0.5.3 containing
  • all sigstore-java artifacts
  • a slsa attesation for the release build

Reverting a failed release (Github only)

If a release build fails for any reason or the resulting artifacts are not as expected, you must clean-up any tags or releases built during the action

1. Delete the release from Releases
2. Delete the tag from Tags

Building a release bundle for maven central

The local release script requires you to have cosign and gpg installed. It

• downloads the latest release from github (ex v0.5.3)
• signs all artifacts (except slsa attestation) with cosign
• signs everything with gpg to satisfy maven central
• bundles all the files into sigstore-java-0.5.3-bundle.jar

$ cd ./scripts
$ ./sign_and_bundle_release.sh

Releasing to maven central

Releasing to maven central is a permanent action, it cannot be reverted

Upload the bundle:

1. Log into sonatype (s01)
2. Click "Staging Upload" on the left navbar
3. Set "Upload Mode" to "Artifact Bundle"
4. Then select sigstore-java-0.5.3-bundle.jar that was generated by sign_and_bundle_release.sh
5. Click "Upload Bundle"

Release the bundle:

1. Click "Staging Repositories" on the left navbar
2. Select your artifact and ensure all checks have passed
3. Click "release"
4. If checks are failing, "drop" the bundle and fix the release process