How to get the gpg-agent to ask for the password when used in maven-gpg-plugin

Question

I have several projects where I want to sign the resulting artifacts with a gpg key. In the past I used gpg 1.x (i.e. the old one) and in this setup I had the password encrypted (but usable) in the ~/.m2/settings-security.xml.

I do not like that (but at the time I wrote that it was the setup I managed to get running).

I recently started to see if I could get it all running without storing the passwords. So now in the ~/.m2/settings.xml I have something like this (this profile is active):

<profile>
  <id>signingkey</id>
  <properties>
    <gpg.executable>gpg2</gpg.executable>
    <gpg.keyname>ABCDEF01</gpg.keyname>
  </properties>
</profile>

In the pom.xml I have the maven-gpg-plugin with this basic config

<build>
  <plugins>
    <plugin>
      <groupId>org.apache.maven.plugins</groupId>
      <artifactId>maven-gpg-plugin</artifactId>
      <version>1.6</version>
      <executions>
        <execution>
          <id>sign-artifacts</id>
          <phase>verify</phase>
          <goals>
            <goal>sign</goal>
          </goals>
        </execution>
      </executions>
    </plugin>
  </plugins>
</build>

Now when I do this on my Ubuntu 16.04 system the gpg-agent (part of gpg2) and the gnome-keyring-daemon remember the password after the first use.

So on this system I am normally in the situation that I already have the gpg-agent running and as such when I do mvn clean verify in my project signs the artifacts without asking any questions because the password is available in the gpg-agent.

So far so good.

To ensure I have perfectly clean build of the software (and for some projects also to ensure all the tools are installed correctly) I frequently build/deploy the software from a separate docker environment.

In such a 'very clean' docker environment there is no gpg-agent at startup and I have found that simply running mvn clean verify will yield a build that is not signed because I get

You need a passphrase to unlock the secret key for
user: "Niels Basjes (Software Signing Key) <[email protected]>"
...
gpg: cancelled by user

As far as I can tell because I should have entered the password but no prompt was provided.

At this point I have only found one workaround and that is to do something like gpg2 --sign pom.xml before building the software because that starts the gpg-agent AND shows me a dialog to enter the password.

What I would like is to change my setup in such a way that I can simply do mvn verify and the first sign attempt will popup the password dialog for me and cache the password in the gpg-agent.

Essentially my question is how to do this; or better: What is the proper way to set this up?

Answer 1

You can use the following configuration :

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-gpg-plugin</artifactId>
    <version>1.6</version>
    <executions>
        <execution>
            <id>sign-artifacts</id>
            <phase>verify</phase>
            <goals>
                <goal>sign</goal>
            </goals>
            <configuration>
                <executable>gpg2</executable>
                <gpgArguments>
                    <arg>--pinentry-mode</arg>
                    <arg>loopback</arg>
                </gpgArguments>
                <passphrase>${gpg.passphrase}</passphrase>
            </configuration>
        </execution>
    </executions>
</plugin>

Place your gpg password inside your settings.xml file with a profile, and build with the profile. The property name is fixed, and can't be changed. You can also use property gpg.executable to set the executable that way as well

<properties>
    <gpg.passphrase>MySpecialPassword</gpg.passphrase>
</properties>