I have several projects where I want to sign the resulting artifacts with a gpg key. In the past I used gpg 1.x (i.e. the old one) and in this setup I had the password encrypted (but usable) in the ~/.m2/settings-security.xml
.
I do not like that (but at the time I wrote that it was the setup I managed to get running).
I recently started to see if I could get it all running without storing the passwords. So now in the ~/.m2/settings.xml
I have something like this (this profile is active):
<profile>
<id>signingkey</id>
<properties>
<gpg.executable>gpg2</gpg.executable>
<gpg.keyname>ABCDEF01</gpg.keyname>
</properties>
</profile>
In the pom.xml I have the maven-gpg-plugin with this basic config
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
</plugins>
</build>
Now when I do this on my Ubuntu 16.04 system the gpg-agent (part of gpg2) and the gnome-keyring-daemon remember the password after the first use.
So on this system I am normally in the situation that I already have the gpg-agent running and as such when I do mvn clean verify
in my project signs the artifacts without asking any questions because the password is available in the gpg-agent.
So far so good.
To ensure I have perfectly clean build of the software (and for some projects also to ensure all the tools are installed correctly) I frequently build/deploy the software from a separate docker environment.
In such a 'very clean' docker environment there is no gpg-agent at startup and I have found that simply running mvn clean verify
will yield a build that is not signed because I get
You need a passphrase to unlock the secret key for
user: "Niels Basjes (Software Signing Key) <[email protected]>"
...
gpg: cancelled by user
As far as I can tell because I should have entered the password but no prompt was provided.
At this point I have only found one workaround and that is to do something like gpg2 --sign pom.xml
before building the software because that starts the gpg-agent AND shows me a dialog to enter the password.
What I would like is to change my setup in such a way that I can simply do mvn verify
and the first sign attempt will popup the password dialog for me and cache the password in the gpg-agent.
Essentially my question is how to do this; or better: What is the proper way to set this up?
You can use the following configuration :
Place your gpg password inside your settings.xml file with a profile, and build with the profile. The property name is fixed, and can't be changed. You can also use property gpg.executable to set the executable that way as well