Avoid gpg signing prompt when using Maven release plugin

Question

I've got a Maven project that I'm trying to configure to use the maven release plugin. Part of the release process is to use the Maven GPG Plugin to sign artifacts which requires among other things, the GPG signing key passphrase to succeed. Because these builds need to be runnable in a non interactive environment, (CI-Server) these params are passed in as arguments to maven in the form of

-Dgpg.passphrase=XXX 

For snapshot builds everything works fine; the Maven GPG Plugin sees the passed in passphrase, artifacts are built, signed and deployed as expected, however, when I try to use the release plugin I get prompted for the gpg signing key password. I've read through several discussions on similar issues that stem from the release plugin forking another invocation of maven which does not receive the passed in params. The most popular fix seems to be to use the "arguments" parameter like this:

-Darguments="-Dgpg.passphrase=XXX" 

Supposedly this gets passed to the forked instance but unfortunately for me it's not getting rid of the prompt.

Since signing artifacts is not an uncommon prerequisite for deploying release artifacts to public maven repos and presumably most entities producing those artifacts are using some form of CI I can't imagine I'm the only person who has encountered this problem. Has anybody found a workaround?

A NOTE ABOUT THE ACCEPTED ANSWER:

The accepted solution will -not- work with Maven 3.0 - 3.0.3 and 3.0.3 just so happens to be what installs by default with java on OSX Mountain Lion. You'll need to upgrade to 3.0.4.

Answer 1

Just set it up in a profile in settings.xml and activate it by default:

<settings>   <profiles>     <profile>       <id>gpg</id>       <properties>         <gpg.executable>gpg2</gpg.executable>         <gpg.passphrase>mypassphrase</gpg.passphrase>       </properties>     </profile>   </profiles>   <activeProfiles>     <activeProfile>gpg</activeProfile>   </activeProfiles> </settings> 

As you can see you can do that with any property .. e.g. also other usernames and passwords for the jarsigner plugin and so on.

This should be always active. It might depend on using a newer Maven version but you can always debug this with

mvn help:active-profiles 

Encrypting the password

The comments and other answers are pointing out that keeping passwords in a file is not secure... This is true to an extent, but luckily Maven allows us to make this very secure by creating one master password and then encrypting all the passwords in settings.xml with it.

Have a look at the mini guide Password Encryption for details.

Answer 2

Having your GPG pass phrase in a file in your home directory is absolutely horrible security.

Instead, use the gpg-agent, so you only need to enter your passphrase once per session. Once installed you can setup your shell to do something like:

eval $(gpg-agent --daemon --no-grab --write-env-file $HOME/.gpg-agent-info) export GPG_TTY=$(tty) export GPG_AGENT_INFO 

then update your plugin to enable the agent. You can do this either in the pom, or in a profile in your settings.xml may be better:

<plugin>   <groupId>org.apache.maven.plugins</groupId>   <artifactId>maven-gpg-plugin</artifactId>   <configuration>     <useAgent>true</useAgent>   </configuration> </plugin> 

or it is probably better and more portable to do this in your settings:

<profile>   <id>gpg-profile</id>   <properties>     <gpg.useagent>true</gpg.useagent>   </properties> </profile> 

Then the first time in a session that the gpg passphrase is needed, a dialog is popped up. Every time after that, it uses the passphrase from the agent.