Prevent Passphrase request when signing JAR

Question

I'm trying to setup my Maven build so that it signs the JAR automatically without the need to manually enter the passphrase however no matter how I try to configure the maven-gpg-plugin it either fails or always asks for the passphrase.

I've used this page as guidance on how to set up Maven settings.xml:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <profiles>
        <profile>
            <id>ossrh</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <gpg.executable>gpg2</gpg.executable>
                <gpg.keyname>${env.GPG_KEY_NAME}</gpg.keyname>
                <gpg.passphrase>${env.GPG_PASS_PHRASE}</gpg.passphrase>
            </properties>
        </profile>
    </profiles>
    <servers>
        <server>
            <id>ossrh</id>
            <username>${env.OSSRH_JIRA_USERNAME}</username>
            <password>${env.OSSRH_JIRA_PASSWORD}</password>
        </server>
    </servers>
</settings>

The environment variables above are set in the environment.

And the maven-gpg-plugin configuration from this question I've tried to set-up the POM as follows:

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-gpg-plugin</artifactId>
    <version>1.6</version>
        <executions>
            <execution>
                <id>sign-artifacts</id>
                <phase>verify</phase>
                <goals>
                    <goal>sign</goal>
                </goals>
                <configuration>
                    <gpgArguments>
                        <arg>--pinentry-mode</arg>
                        <arg>loopback</arg>
                    </gpgArguments>
                </configuration>
            </execution>
        </executions>
</plugin>

But when I build I get the following error: gpg: setting pinentry mode 'loopback' failed: Not supported

I've tried to add allow-loopback-pinentry to gpg-agent.conf but the result is the same. If I remove the <gpgArguments> from the Maven plugin configuration then I get the pop-up asking for the passphrase.

I'm using gpg2 version 2.1.11

Answer 1

The issue occurs due to the fact I was attempting to use gpg2 instead of gpg as I had assumed that gpg2 was better (without actually researching). The man page for gpg 2 states:

In contrast to the standalone command gpg from GnuPG 1.x, which is might be better suited for server and embedded platforms, the 2.x version is commonly installed under the name gpg2 and targeted to the desktop as it requires several other modules to be installed.

gpg2 is targeted at the desktop and hence I am assuming is 'hard-coded' to ask for the password and I should in fact be using gpg.

Answer 2

Plugin docs say default executable is gpg. If the profile isn't enabled, is it picking up your desired gpg2? useAgent == true is default, should be left that way for gpg2 per docs.

For using the agent, try configuring the executable right in the plugin instead of a profile.

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-gpg-plugin</artifactId>
    <version>1.6</version>
    <executions>
        <execution>
            <id>sign-artifacts</id>
            <phase>verify</phase>
            <goals>
                <goal>sign</goal>
            </goals>
            <configuration>
                <executable>gpg2</executable>
                <gpgArguments>
                    <arg>--pinentry-mode</arg>
                    <arg>loopback</arg>
                </gpgArguments>
            </configuration>
        </execution>
    </executions>
</plugin>

To do it without the agent, using the settings.xml file, try this (based on my reading of the goal and usage docs):

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-gpg-plugin</artifactId>
    <version>1.6</version>
    <executions>
        <execution>
            <id>sign-artifacts</id>
            <phase>verify</phase>
            <goals>
                <goal>sign</goal>
            </goals>
            <configuration>
                <executable>gpg2</executable>
                <keyname>${gpg.keyname}</keyname>
                <passphraseServerId>${gpg.keyname}</passphraseServerId>
            </configuration>
        </execution>
    </executions>
</plugin>

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
      xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
    <properties>
        <gpg.keyname>${env.GPG_KEY_NAME}</gpg.keyname>
    </properties>
    <servers>
        <server>
            <id>${env.GPG_KEY_NAME}</id>
            <passphrase>${env.GPG_PASS_PHRASE}</passphrase>
       </server>
    </servers>
</settings>

Note, I didn't use the profile as they suggested, because per Maven profile docs (emphasis mine):

will automatically be active for all builds unless another profile in the same POM is activated using one of the previously described methods. All profiles that are active by default are automatically deactivated when a profile in the POM is activated on the command line or through its activation config.

This caused me "fun" debug sessions, and I've seen it catch many other unsuspecting developers too.