Maven 2.x and 3.x GPG Plugin

Integrate w/ Maven password encryption to avoid need to type passphrase

Details

  • Type: Improvement Improvement
  • Status: Open Open
  • Priority: Minor Minor
  • Resolution: Unresolved
  • Affects Version/s: 1.1
  • Fix Version/s: None
  • Environment:
    JDK 6u21, Ubuntu, Maven 3.0 RC1
  • Number of attachments :
    0

Description

It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:

    [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
    GPG Passphrase: *

I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?

Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.

Issue Links

relates to

New Feature - A new feature of the product, which has yet to be developed. MGPG-30 Support alternative location of secret keyring

  • Minor - Minor loss of function, or other problem where easy workaround is present.
  • Closed - The issue is considered finished, the resolution is correct. Issues which are not closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Jesse Glick added a comment -

Seems that I can pass -Dgpg.passphrase=... on the command line, but this is not ideal either (passphrase visible to ps, command history, ...).

Show
Jesse Glick added a comment - Seems that I can pass -Dgpg.passphrase=... on the command line, but this is not ideal either (passphrase visible to ps, command history, ...).
Hide
Permalink
Jesse Glick added a comment -

Seems to work to use http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017623.html to remove the passphrase from secring.gpg, move this file to an encrypted drive with a symlink from the original location, then add

         <profile>
            <id>gpg</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <gpg.passphrase/>
            </properties>
        </profile>

to settings.xml. But it would be nicer to have the Maven password encryption handle this.

Show
Jesse Glick added a comment - Seems to work to use http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017623.html to remove the passphrase from secring.gpg, move this file to an encrypted drive with a symlink from the original location, then add <profile> <id>gpg</id> <activation> <activeByDefault>true</activeByDefault> </activation> <properties> <gpg.passphrase/> </properties> </profile> to settings.xml. But it would be nicer to have the Maven password encryption handle this.
Hide
Permalink
Stephen Connolly added a comment -

The correct way to handle this is to use an agent ideally integrated with the OS.

However, I have seen enough people who don't take the security of their GPG keys religiously. So just because there are people who think that the right thing is never to leave your passphrase on any disk in a reversible encryption, does not mean that we cannot support those who feel comfortable with the (hopefully educated) risk.

If somebody has a patch with test cases...

Show
Stephen Connolly added a comment - The correct way to handle this is to use an agent ideally integrated with the OS. However, I have seen enough people who don't take the security of their GPG keys religiously. So just because there are people who think that the right thing is never to leave your passphrase on any disk in a reversible encryption, does not mean that we cannot support those who feel comfortable with the (hopefully educated) risk. If somebody has a patch with test cases...
Hide
Permalink
Jesse Glick added a comment -

In my setup the GPG passphrase is on a login-encrypted disk, just like the Maven master password. I would rather "use an agent integrated with the OS" for GPG as well as for all other purposes in Maven builds, but Maven does not currently integrate with the GNOME keyring.

It is not clear that a fix is possible. SettingsDecryptionRequest hardcodes servers and proxies; there is no extension point for other kinds of things that might need passwords (such as the GPG plugin). The only thing I can think of is to create a dummy server entry with a magic id like gpg and no username.

It also does not look like there is any way to override DefaultSettingsDecrypter e.g. in a build extension to do something like integrate with a desktop keyring; I have asked on the dev list before about injecting a higher-priority alternative to a standard service and been told it was not possible.

Show
Jesse Glick added a comment - In my setup the GPG passphrase is on a login-encrypted disk, just like the Maven master password. I would rather "use an agent integrated with the OS" for GPG as well as for all other purposes in Maven builds, but Maven does not currently integrate with the GNOME keyring. It is not clear that a fix is possible. SettingsDecryptionRequest hardcodes servers and proxies; there is no extension point for other kinds of things that might need passwords (such as the GPG plugin). The only thing I can think of is to create a dummy server entry with a magic id like gpg and no username . It also does not look like there is any way to override DefaultSettingsDecrypter e.g. in a build extension to do something like integrate with a desktop keyring; I have asked on the dev list before about injecting a higher-priority alternative to a standard service and been told it was not possible.

People

  • Assignee:
    Unassigned
    Reporter:
    Jesse Glick
Vote (3)
Watch (4)

Dates

  • Created:
    Updated: