Avoid gpg signing prompt when using Maven release plugin

Just set it up in a profile in settings.xml and activate it by default:

<settings>
  <profiles>
    <profile>
      <id>gpg</id>
      <properties>
        <gpg.executable>gpg2</gpg.executable>
        <gpg.passphrase>mypassphrase</gpg.passphrase>
      </properties>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>gpg</activeProfile>
  </activeProfiles>
</settings>

As you can see you can do that with any property .. e.g. also other usernames and passwords for the jarsigner plugin and so on.

This should be always active. It might depend on using a newer Maven version but you can always debug this with

mvn help:active-profiles

Encrypting the password

The comments and other answers are pointing out that keeping passwords in a file is not secure... This is true to an extent, but luckily Maven allows us to make this very secure by creating one master password and then encrypting all the passwords in settings.xml with it.

Have a look at the mini guide Password Encryption for details.

If you don't want to have the password in clear text in your settings.xml and don't want to / can't use gpg-agent, you can setup password encryption.

You first need to setup a master password for maven (assuming maven 3.2.1+ otherwise you have to pass the password as an argument):

mvn -emp

This will return an encrypted version of the password. Store this password in ~/.m2/settings-security.xml – it should look like:

<settingsSecurity>
  <master>{inY3jdvspkeO2RUTxzQ4xHPelos+9EF1iFQyJQ=}</master>
</settingsSecurity>

Then encrypt the key password with:

mvn -ep

And use the generated encrypted password in settings.xml (the profile id needs to match the profile you use, here I have used release so you would need to run maven like mvn -P release release:prepare etc. - alternatively you can make it part of the active profiles as detailed in another answer):

<servers>
  <server>
    <id>gpg.passphrase</id>
    <passphrase>{inY3jdvspkeO2RUTxzQ4xHPelos}</passphrase>
  </server>
</servers>

<profiles>
  <profile>
    <id>release</id>
    <properties>
      <gpg.keyname>6DF60995</gpg.keyname>
    </properties>
  </profile>
</profiles>

Having your GPG pass phrase in a file in your home directory is absolutely horrible security.

Instead, use the gpg-agent, so you only need to enter your passphrase once per session. Once installed you can setup your shell to do something like:

eval $(gpg-agent --daemon --no-grab --write-env-file $HOME/.gpg-agent-info)
export GPG_TTY=$(tty)
export GPG_AGENT_INFO

then update your plugin to enable the agent. You can do this either in the pom, or in a profile in your settings.xml may be better:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-gpg-plugin</artifactId>
  <configuration>
    <useAgent>true</useAgent>
  </configuration>
</plugin>

or it is probably better and more portable to do this in your settings:

<profile>
  <id>gpg-profile</id>
  <properties>
    <gpg.useagent>true</gpg.useagent>
  </properties>
</profile>

Then the first time in a session that the gpg passphrase is needed, a dialog is popped up. Every time after that, it uses the passphrase from the agent.

Avoid gpg signing prompt when using Maven release plugin

Tags:

Maven

Code Signing

Gnupg

Maven Release Plugin

Related

Recent Posts