Avoid gpg signing prompt when using Maven release plugin

Question

I've got a Maven project that I'm trying to configure to use the maven release plugin. Part of the release process is to use the Maven GPG Plugin to sign artifacts which requires among other things, the GPG signing key passphrase to succeed. Because these builds need to be runnable in a non interactive environment, (CI-Server) these params are passed in as arguments to maven in the form of

-Dgpg.passphrase=XXX

For snapshot builds everything works fine; the Maven GPG Plugin sees the passed in passphrase, artifacts are built, signed and deployed as expected, however, when I try to use the release plugin I get prompted for the gpg signing key password. I've read through several discussions on similar issues that stem from the release plugin forking another invocation of maven which does not receive the passed in params. The most popular fix seems to be to use the "arguments" parameter like this:

-Darguments="-Dgpg.passphrase=XXX"

Supposedly this gets passed to the forked instance but unfortunately for me it's not getting rid of the prompt.

Since signing artifacts is not an uncommon prerequisite for deploying release artifacts to public maven repos and presumably most entities producing those artifacts are using some form of CI I can't imagine I'm the only person who has encountered this problem. Has anybody found a workaround?

A NOTE ABOUT THE ACCEPTED ANSWER:

The accepted solution will -not- work with Maven 3.0 - 3.0.3 and 3.0.3 just so happens to be what installs by default with java on OSX Mountain Lion. See here for the details. You'll need to upgrade to 3.0.4.

Answer 1

Just set it up in a profile in settings.xml and activate it by default:

<settings>
  <profiles>
    <profile>
      <id>gpg</id>
      <properties>
        <gpg.executable>gpg2</gpg.executable>
        <gpg.passphrase>mypassphrase</gpg.passphrase>
      </properties>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>gpg</activeProfile>
  </activeProfiles>
</settings>

As you can see you can do that with any property .. e.g. also other usernames and passwords for the jarsigner plugin and so on.

This should be always active. It might depend on using a newer Maven version but you can always debug this with

mvn help:active-profiles

Encrypting the password

The comments and other answers are pointing out that keeping passwords in a file is not secure... This is true to an extent, but luckily Maven allows us to make this very secure by creating one master password and then encrypting all the passwords in settings.xml with it.

Have a look at the mini guide Password Encryption for details.

Answer 2

Having your GPG pass phrase in a file in your home directory is absolutely horrible security.

Instead, use the gpg-agent, so you only need to enter your passphrase once per session. Once installed you can setup your shell to do something like:

eval $(gpg-agent --daemon --no-grab --write-env-file $HOME/.gpg-agent-info)
export GPG_TTY=$(tty)
export GPG_AGENT_INFO

then update your plugin to enable the agent. You can do this either in the pom, or in a profile in your settings.xml may be better:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-gpg-plugin</artifactId>
  <configuration>
    <useAgent>true</useAgent>
  </configuration>
</plugin>

or it is probably better and more portable to do this in your settings:

<profile>
  <id>gpg-profile</id>
  <properties>
    <gpg.useagent>true</gpg.useagent>
  </properties>
</profile>

Then the first time in a session that the gpg passphrase is needed, a dialog is popped up. Every time after that, it uses the passphrase from the agent.

Answer 3

If you don't want to have the password in clear text in your settings.xml and don't want to / can't use gpg-agent, you can setup password encryption.

You first need to setup a master password for maven (assuming maven 3.2.1+ otherwise you have to pass the password as an argument):

mvn -emp

This will return an encrypted version of the password. Store this password in ~/.m2/settings-security.xml – it should look like:

<settingsSecurity>
  <master>{inY3jdvspkeO2RUTxzQ4xHPelos+9EF1iFQyJQ=}</master>
</settingsSecurity>

Then encrypt the key password with:

mvn -ep

And use the generated encrypted password in settings.xml (the profile id needs to match the profile you use, here I have used release so you would need to run maven like mvn -P release release:prepare etc. - alternatively you can make it part of the active profiles as detailed in another answer):

<servers>
  <server>
    <id>gpg.passphrase</id>
    <passphrase>{inY3jdvspkeO2RUTxzQ4xHPelos}</passphrase>
  </server>
</servers>

<profiles>
  <profile>
    <id>release</id>
    <properties>
      <gpg.keyname>6DF60995</gpg.keyname>
    </properties>
  </profile>
</profiles>

Answer 4

GPG password in settings.xml is working solution, but it is open and this is bad. Alternative solution, I had used in my projects, is as follows:

stty -echo && printf "GPG password: " && read gpgPwd && printf '\n' && stty echo
mvn release:prepare -Darguments="-Dgpg.passphrase=$gpgPwd"
git push
git push --tags
mvn release:perform -Darguments="-Dgpg.passphrase=$gpgPwd"
unset gpgPwd

Additional required configurations:

export GPG_TTY=$(tty) (in the ~/.bash_profile)
maven-release-plugin/configuration/pushChanges=false (in the root pom.xml)