(tomcat) branch 10.1.x updated: Add build property "gpg.sign.files".

Tue, 20 Jan 2026 12:39:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

rjung pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new 48363e8f27 Add build property "gpg.sign.files".
48363e8f27 is described below

commit 48363e8f2794122f00f8f0fee92eafc385d29396
Author: Rainer Jung <[email protected]>
AuthorDate: Tue Jan 20 21:38:45 2026 +0100

    Add build property "gpg.sign.files".
    
    Refactor gpg init targets.
    Add property gpg.sign.files to disable gpg artefact signing
    (and only use it for release verification).
    Clarify gpg notes in BUILDING.txt.
---
 BUILDING.txt               | 11 ++++++-----
 build.properties.default   |  2 ++
 build.xml                  | 21 +++++++++++++--------
 webapps/docs/changelog.xml |  4 ++++
 4 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/BUILDING.txt b/BUILDING.txt
index 465ed6b39f..bea6253922 100644
--- a/BUILDING.txt
+++ b/BUILDING.txt
@@ -293,14 +293,15 @@ in build.xml and the default property values in 
build.properties.default.
         # Location of GPG executable (used only for releases)
         gpg.exec=/path/to/gpg
 
-    You do not need it if you do not plan to sign the release.
-
-    If "gpg.exec" property does not point to an existing file, it will be
-    ignored and this feature will be deactivated.
-
     You will be prompted for the GPG passphrase when the release build
     starts, unless "gpg.passphrase" property is set.
 
+    The ant target "verify-release" also uses the property "gpg.exec" to
+    call the GPG executable. If you want to use "verify-release" but you
+    do not want to sign the release artefacts, set "gpg.exec" and also
+    "gpg.sign.files=false".
+
+
  3. If building the Windows installer on Windows
 
     If running the build in a UAC enabled environment, building the Windows
diff --git a/build.properties.default b/build.properties.default
index 74c8835017..12c32f730f 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -102,6 +102,8 @@ openssl.ffm.3=-DNoop3
 # ----- Release build settings -----
 # Location of GPG executable
 gpg.exec=/path/to/gpg
+# Release artefact signing with gpg
+gpg.sign.files=true
 
 # Code signing of Windows installer
 # See https://infra.apache.org/digicert-use.html for setup instructions
diff --git a/build.xml b/build.xml
index a5e8bf2298..9a666f4bbe 100644
--- a/build.xml
+++ b/build.xml
@@ -3153,26 +3153,31 @@ Configured for ${release.asfusername} to release Tomcat 
${version.major}.${versi
   </target>
 
   <!-- Sets properties only required for releases -->
-  <target name="release-init" 
depends="release-version-check,gpg-init-1,gpg-init-2,gpg-init-3,compile" >
+  <target name="release-init" 
depends="release-version-check,gpg-init-test-signing,compile" >
     <taskdef name="forceUtcTimeZone"
              classname="org.apache.tomcat.buildutil.ForceUtcTimeZone"
              classpath="${tomcat.classes}" />
     <forceUtcTimeZone />
   </target>
 
-  <target name="gpg-init-1">
+  <target name="gpg-init-available">
     <available file="${gpg.exec}" property="gpg.exec.available"/>
   </target>
 
-  <target name="gpg-init-2" if="${gpg.exec.available}">
-<echo>gpg.exec.available=${gpg.exec.available}</echo>
-<echo>gpg.exec=${gpg.exec}</echo>
-    <input addproperty="gpg.passphrase"><handler type="secure"/>Enter GPG 
passphrase
-</input>
+  <target name="gpg-init-sign-files" depends="gpg-init-available" 
if="${gpg.exec.available}">
+    <condition property="gpg.sign.files.available">
+      <istrue value="${gpg.sign.files}"/>
+    </condition>
+  </target>
+
+  <target name="gpg-init-passphrase" depends="gpg-init-sign-files" 
if="${gpg.sign.files.available}">
+    <echo>gpg.exec.available=${gpg.exec.available}</echo>
+    <echo>gpg.exec=${gpg.exec}</echo>
+    <input addproperty="gpg.passphrase"><handler type="secure"/>Enter GPG 
passphrase: </input>
   </target>
 
   <!-- Test GPG by signing build.xml as a sample file. -->
-  <target name="gpg-init-3" if="gpg.passphrase">
+  <target name="gpg-init-test-signing" depends="gpg-init-passphrase" 
if="gpg.passphrase">
     <exec executable="${gpg.exec}"
           inputstring="${gpg.passphrase}"
           failonerror="true"
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 500dcfa007..63e7cea834 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -267,6 +267,10 @@
       <update>
         Update Tomcat Native to 2.0.12. (markt)
       </update>
+      <add>
+        Add property "gpg.sign.files" to optionally disable release artefact
+        signing with GPG. (rjung)
+      </add>
     </changelog>
   </subsection>
 </section>


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to