How do I get the maven-gpg-plugin to use a passphrase from environment variable or command line property?

Question

I've seen: Avoid gpg signing prompt when using Maven release plugin but it's for a very old version of maven, and I'm using 3.2.2, so the same solution doesn't apply.

Basically, no matter what combination of properties on the command line, properties in the pom.xml, or environment variables I cannot get the maven gpg plugin to avoid popping up the agent dialog.

We've decided for security reasons to not include the passphrase in plain text in the settings.xml, because that's a terrible idea. And using the encrypted maven stuff just moves the master key to a different plain text file.

Software Versions:

$ gpg --version
gpg (GnuPG) 2.1.2
libgcrypt 1.6.2

$ mvn --version
Apache Maven 3.2.2 (45f7c06d68e745d05611f7fd14efb6594181933e; 2014-06-17T08:51:42-05:00)

I have tried

mvn -Dgpg.passphrase='lolpassphrase'

Using the properties in the pom.xml to get it from the environment:

        <properties>
            <gpg.keyname>E7C89BBB</gpg.keyname>
            <gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
        </properties>

and then:

GPG_PASSPHRASE='lolpassphrase' mvn install 

EDIT: Apparently my gpg agent was getting in the way and lying to me the GPG agent will still prompt me if I set the actual passphrase in the pom.xml properties :(

        <properties>
            <gpg.keyname>E7C89BBB</gpg.keyname>
            <gpg.passphrase><![CDATA[lolcomplicatedpassphrase]]></gpg.passphrase>
        </properties>

There has to be a way to do this without keeping the password in plain text somewhere, but I'm unable to use the right googles to find this answer, hoping you guys can help me out.

Answer 1

EDIT: this solution only works on gnupg 2.1.x. 2.0.x doesn't recognize the --pinentry-mode command line parameter and it blows up. Unfortunately, in the mavens there's no way that I know of, besides a second profile, to have it do the right thing per which version of gnupg. It would probably need an update to the plugin to do it the "right" way.

Jeez, I just figured this out, you must specify a pair of arguments to gpg to change it's pinentry-mode to 'loopback' Once you've done this, it will honor the gpg.passphrase value, either from an environment variable or from a user property. Wow that was obscure.

                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-gpg-plugin</artifactId>
                    <version>1.6</version>
                    <executions>
                        <execution>
                            <id>sign-artifacts</id>
                            <phase>verify</phase>
                            <goals>
                                <goal>sign</goal>
                            </goals>
                            <configuration>
                                <!-- This is necessary for gpg to not try to use the pinentry programs -->
                                <gpgArguments>
                                    <arg>--pinentry-mode</arg>
                                    <arg>loopback</arg>
                                </gpgArguments>
                            </configuration>
                        </execution>
                    </executions>
                </plugin>

Answer 2

You can use plugin https://www.simplify4u.org/sign-maven-plugin/ which don't use gpg for signing so you don't need complicated configuration for provided passphrase as environment variable.

sign-maven-plugin just support all configuration items as environment variable.