Avoid gpg signing prompt when using Maven release plugin

maven code-signing maven-release-plugin gnupg
Nick picture Nick · Jan 1, 2013 · Viewed 9.5k times · Source

I've got a Maven project that I'm trying to configure to use the maven release plugin. Part of the release process is to use the Maven GPG Plugin to sign artifacts which requires among other things, the GPG signing key passphrase to succeed. Because these builds need to be runnable in a non interactive environment, (CI-Server) these params are passed in as arguments to maven in the form of 

-Dgpg.passphrase=XXX

For snapshot builds everything works fine; the Maven GPG Plugin sees the passed in passphrase, artifacts are built, signed and deployed as expected, however, when I try to use the release plugin I get prompted for the gpg signing key password. I've read through several discussions on similar issues that stem from the release plugin forking another invocation of maven which does not receive the passed in params. The most popular fix seems to be to use the "arguments" parameter like this:

-Darguments="-Dgpg.passphrase=XXX"

Supposedly this gets passed to the forked instance but unfortunately for me it's not getting rid of the prompt.

Since signing artifacts is not an uncommon prerequisite for deploying release artifacts to public maven repos and presumably most entities producing those artifacts are using some form of CI I can't imagine I'm the only person who has encountered this problem. Has anybody found a workaround?

A NOTE ABOUT THE ACCEPTED ANSWER:

The accepted solution will -not- work with Maven 3.0 - 3.0.3 and 3.0.3 just so happens to be what installs by default with java on OSX Mountain Lion. See here for the details. You'll need to upgrade to 3.0.4.

Answer

Manfred Moser picture Manfred Moser · Jan 9, 2013

Just set it up in a profile in settings.xml and activate it by default:

<settings>
  <profiles>
    <profile>
      <id>gpg</id>
      <properties>
        <gpg.executable>gpg2</gpg.executable>
        <gpg.passphrase>mypassphrase</gpg.passphrase>
      </properties>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>gpg</activeProfile>
  </activeProfiles>
</settings>

As you can see you can do that with any property .. e.g. also other usernames and passwords for the jarsigner plugin and so on.

This should be always active. It might depend on using a newer Maven version but you can always debug this with

mvn help:active-profiles

Encrypting the password

The comments and other answers are pointing out that keeping passwords in a file is not secure... This is true to an extent, but luckily Maven allows us to make this very secure by creating one master password and then encrypting all the passwords in settings.xml with it.

Have a look at the mini guide Password Encryption for details.

Related questions

No compiler is provided in this environment. Perhaps you are running on a JRE rather than a JDK?

I'm compiling a project in Eclipse using m2eclipse. I set the JDK path in Eclipse like this: Windows-->preferences-->installed jres--> jdk1.7.xx path But this is showing an error [ERROR] COMPILATION ERROR : [INFO] ------------------------------------------------------------- [ERROR] …

Read More
How to solve "Plugin execution not covered by lifecycle configuration" for Spring Data Maven Builds

I am trying to work with Spring Data and Neo4j. I started by trying to follow this guide linked to by the main site. In particular I based my pom.xml off of the "Hello, World!" example file. Here …

Read More
How to add local jar files to a Maven project?

How do I add local jar files (not yet part of the Maven repository) directly in my project's library sources?

Read More