Avoid gpg signing prompt when using Maven release plugin

Nick picture Nick · Jan 1, 2013 · Viewed 9.5k times · Source

I've got a Maven project that I'm trying to configure to use the maven release plugin. Part of the release process is to use the Maven GPG Plugin to sign artifacts which requires among other things, the GPG signing key passphrase to succeed. Because these builds need to be runnable in a non interactive environment, (CI-Server) these params are passed in as arguments to maven in the form of

-Dgpg.passphrase=XXX

For snapshot builds everything works fine; the Maven GPG Plugin sees the passed in passphrase, artifacts are built, signed and deployed as expected, however, when I try to use the release plugin I get prompted for the gpg signing key password. I've read through several discussions on similar issues that stem from the release plugin forking another invocation of maven which does not receive the passed in params. The most popular fix seems to be to use the "arguments" parameter like this:

-Darguments="-Dgpg.passphrase=XXX"

Supposedly this gets passed to the forked instance but unfortunately for me it's not getting rid of the prompt.

Since signing artifacts is not an uncommon prerequisite for deploying release artifacts to public maven repos and presumably most entities producing those artifacts are using some form of CI I can't imagine I'm the only person who has encountered this problem. Has anybody found a workaround?

A NOTE ABOUT THE ACCEPTED ANSWER:

The accepted solution will -not- work with Maven 3.0 - 3.0.3 and 3.0.3 just so happens to be what installs by default with java on OSX Mountain Lion. See here for the details. You'll need to upgrade to 3.0.4.

Answer

Manfred Moser picture Manfred Moser · Jan 9, 2013

Just set it up in a profile in settings.xml and activate it by default:

<settings>
  <profiles>
    <profile>
      <id>gpg</id>
      <properties>
        <gpg.executable>gpg2</gpg.executable>
        <gpg.passphrase>mypassphrase</gpg.passphrase>
      </properties>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>gpg</activeProfile>
  </activeProfiles>
</settings>

As you can see you can do that with any property .. e.g. also other usernames and passwords for the jarsigner plugin and so on.

This should be always active. It might depend on using a newer Maven version but you can always debug this with

mvn help:active-profiles

Encrypting the password

The comments and other answers are pointing out that keeping passwords in a file is not secure... This is true to an extent, but luckily Maven allows us to make this very secure by creating one master password and then encrypting all the passwords in settings.xml with it.

Have a look at the mini guide Password Encryption for details.