问题
I am using the maven-gpg-plugin to sign the maven artifacts. This works fine, but I have several keys in my GnuPG keyring and want to use a different one than the one GnuPG selects.
How does GnuPG select the "default" key if there are several ones?
Is there a possibility to specify the key to be used in the maven-gpg-plugin configuration? It seems that
keynamedoesn't work (I assume it selects the keyring, but not a specific key).
回答1:
How does GPG select the "default" key if there are several ones?
GnuPG by default chooses the first key in the secret keyring, if not defined otherwise (for example, using the default-key option). From man gpg:
--default-key name
Use name as the default key to sign with. If this option is not used,
the default key is the first key found in the secret keyring. Note
that -u or --local-user overrides this option.
Is there a possibility to specify the key to be used in the maven-gpg-plugin configuration? It seems that "keyname" doesn't work (I assume it selects the keyring, but not a specific key).
If you do not want to have GnuPG decide automatically which key to use, <keyname>[keyname]</keyname> selects to key to be used. I expect this is passed as the local-key option, so it should support short and long key IDs, fingerprints and user IDs. The GnuPG manual contains a list of ways to specify keys.
Most manuals describing how to specify keys here use the short key ID, which I strongly recommend not to do so because of collision attacks, and using the whole fingerprint instead.
There are further options to change the selection of keys. Refer to the Maven GnuPG plugin manual for more details on the individual options:
- Selecting a dedicated keyring using secretKeyring
- Selecting a dedicated GnuPG home directory using homedir
- Passing the
local-useroption to GnuPG using gpgArguments
来源:https://stackoverflow.com/questions/32372363/how-to-select-the-gnupg-key-that-the-maven-gpg-plugin-uses-to-sign-artifacts