I am using Apache Maven GPG Plugin maven-gpg-plugin to generate the required signatures to publish in Maven Central through OSSRH. My plug-in definition at pom.xml is theone below, my OSSRH credentials are at Maven conf/settings.xml and everything works fine. But when another developer tries to mvn install
it fails for him because he does not have GPG installed. I want to avoid the need of having GPG installed except for the developer doing the deployment, possibly by ignoring maven-gpg-plugin errors during build or by any other mean so that I do not need to have two pom.xml one with the plug-in and another without it.
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
<configuration>
<keyname>${gpg.keyname}</keyname>
<passphraseServerId>${gpg.passphrase}</passphraseServerId>
</configuration>
</execution>
</executions>
</plugin>
You can add a profile to your pom and define the execution of the maven-gpg-plugin within it:
<project>
...
<profiles>
<profile>
<id>sign</id>
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
<configuration>
<keyname>${gpg.keyname}</keyname>
<passphraseServerId>${gpg.passphrase}</passphraseServerId>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>
</profile>
</profiles>
</project>
This plugin will then only be added to the build process if the profile is active. You can activate the profile by calling Maven like this:
mvn install -P sign
In addition to activating a profile manually, profiles can also be activated automatically based on conditions such as the existence of a environment variable or a specific file. You can find more information on this in the Maven introduction on profiles.
In your case one option might be to enable the profile if a GPG-specific file is found:
<profile>
<id>sign</id>
<activation>
<file>
<exists>${user.home}/.gnupg/secring.gpg</exists>
</file>
</activation>
...
</profile>
I did not test the code above and the actual file which you need to check for might differ depending on the version of GPG you are using and your system environment.