You need a project, a GitHub repository, and releases done with GitHub Actions. You also need a sigstore plugin that supports your build system. Here we show how to do it with maven and sigstore-maven-plugin.
Add a plugin to your pom.xml. If you have a different build system, you can find the appropriate plugin here: https://docs.sigstore.dev/language_clients/language_client_overview/.
<properties>
<sigstore.skip>true</sigstore.skip>
</properties>
<build>
<plugins>
<plugin>
<groupId>dev.sigstore</groupId>
<artifactId>sigstore-maven-plugin</artifactId>
<version>1.3.0</version>
<configuration>
<skip>${sigstore.skip}</skip>
</configuration>
<executions>
<execution>
<id>sign</id>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
This will create a <filename>.sigstore.json with the attestation during the sign build step. We add the optional property sigstore.skip to make the default to not sign (for easier local development). Signing is then enabled during deployment builds using the maven argument: -Dsigstore.skip=false.
(GitHub) Add the id-token permission to your release job in GitHub Actions.
jobs:
build:
name: Build and release
permissions:
id-token: write
[...]
This enables OIDC authentication for the release job, which is required for signing artifacts with sigstore. For additional details, see the documentation for sigstore-maven-plugin.
(Maven Central) JReleaser automatically uploads the <filename>.sigstore.json files to Maven Central.
Make a release :) The final result looks like this on Maven Central: https://repo1.maven.org/maven2/io/github/chains-project/maven-lockfile/5.8.2/.