I'm trying to setup my Maven build so that it signs the JAR automatically without the need to manually enter the passphrase however no matter how I try to configure the maven-gpg-plugin
it either fails or always asks for the passphrase.
I've used this page as guidance on how to set up Maven settings.xml
:
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
<profiles>
<profile>
<id>ossrh</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<gpg.executable>gpg2</gpg.executable>
<gpg.keyname>${env.GPG_KEY_NAME}</gpg.keyname>
<gpg.passphrase>${env.GPG_PASS_PHRASE}</gpg.passphrase>
</properties>
</profile>
</profiles>
<servers>
<server>
<id>ossrh</id>
<username>${env.OSSRH_JIRA_USERNAME}</username>
<password>${env.OSSRH_JIRA_PASSWORD}</password>
</server>
</servers>
</settings>
The environment variables above are set in the environment.
And the maven-gpg-plugin
configuration from this question I've tried to set-up the POM as follows:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
<configuration>
<gpgArguments>
<arg>--pinentry-mode</arg>
<arg>loopback</arg>
</gpgArguments>
</configuration>
</execution>
</executions>
</plugin>
But when I build I get the following error:
gpg: setting pinentry mode 'loopback' failed: Not supported
I've tried to add allow-loopback-pinentry
to gpg-agent.conf but the result is the same.
If I remove the <gpgArguments>
from the Maven plugin configuration then I get the pop-up asking for the passphrase.
I'm using gpg2 version 2.1.11
The issue occurs due to the fact I was attempting to use gpg2
instead of gpg
as I had assumed that gpg2
was better (without actually researching). The man page for gpg 2 states:
In contrast to the standalone command gpg from GnuPG 1.x, which is might be better suited for server and embedded platforms, the 2.x version is commonly installed under the name gpg2 and targeted to the desktop as it requires several other modules to be installed.
gpg2
is targeted at the desktop and hence I am assuming is 'hard-coded' to ask for the password and I should in fact be using gpg
.