Maven GPG Plugin (moved to ASF)
  1. Maven GPG Plugin (moved to ASF)
  2. MGPG-31

Integrate w/ Maven password encryption to avoid need to type passphrase

    Details

    • Type: Improvement Improvement
    • Status: Closed Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 1.1
    • Fix Version/s: 1.6
    • Environment:
      JDK 6u21, Ubuntu, Maven 3.0 RC1
    • Number of attachments :
      0

      Description

      It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:

          [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
          GPG Passphrase: *
      

      I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?

      Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.

        Issue Links

          Activity

          Hide
          Jesse Glick added a comment -

          Seems that I can pass -Dgpg.passphrase=... on the command line, but this is not ideal either (passphrase visible to ps, command history, ...).

          Show
          Jesse Glick added a comment - Seems that I can pass -Dgpg.passphrase=... on the command line, but this is not ideal either (passphrase visible to ps, command history, ...).
          Hide
          Jesse Glick added a comment -

          Seems to work to use http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017623.html to remove the passphrase from secring.gpg, move this file to an encrypted drive with a symlink from the original location, then add

                   <profile>
                      <id>gpg</id>
                      <activation>
                          <activeByDefault>true</activeByDefault>
                      </activation>
                      <properties>
                          <gpg.passphrase/>
                      </properties>
                  </profile>
          

          to settings.xml. But it would be nicer to have the Maven password encryption handle this.

          Show
          Jesse Glick added a comment - Seems to work to use http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017623.html to remove the passphrase from secring.gpg, move this file to an encrypted drive with a symlink from the original location, then add <profile> <id>gpg</id> <activation> <activeByDefault>true</activeByDefault> </activation> <properties> <gpg.passphrase/> </properties> </profile> to settings.xml. But it would be nicer to have the Maven password encryption handle this.
          Hide
          Stephen Connolly added a comment -

          The correct way to handle this is to use an agent ideally integrated with the OS.

          However, I have seen enough people who don't take the security of their GPG keys religiously. So just because there are people who think that the right thing is never to leave your passphrase on any disk in a reversible encryption, does not mean that we cannot support those who feel comfortable with the (hopefully educated) risk.

          If somebody has a patch with test cases...

          Show
          Stephen Connolly added a comment - The correct way to handle this is to use an agent ideally integrated with the OS. However, I have seen enough people who don't take the security of their GPG keys religiously. So just because there are people who think that the right thing is never to leave your passphrase on any disk in a reversible encryption, does not mean that we cannot support those who feel comfortable with the (hopefully educated) risk. If somebody has a patch with test cases...
          Hide
          Jesse Glick added a comment -

          In my setup the GPG passphrase is on a login-encrypted disk, just like the Maven master password. I would rather "use an agent integrated with the OS" for GPG as well as for all other purposes in Maven builds, but Maven does not currently integrate with the GNOME keyring.

          It is not clear that a fix is possible. SettingsDecryptionRequest hardcodes servers and proxies; there is no extension point for other kinds of things that might need passwords (such as the GPG plugin). The only thing I can think of is to create a dummy server entry with a magic id like gpg and no username.

          It also does not look like there is any way to override DefaultSettingsDecrypter e.g. in a build extension to do something like integrate with a desktop keyring; I have asked on the dev list before about injecting a higher-priority alternative to a standard service and been told it was not possible.

          Show
          Jesse Glick added a comment - In my setup the GPG passphrase is on a login-encrypted disk, just like the Maven master password. I would rather "use an agent integrated with the OS" for GPG as well as for all other purposes in Maven builds, but Maven does not currently integrate with the GNOME keyring. It is not clear that a fix is possible. SettingsDecryptionRequest hardcodes servers and proxies; there is no extension point for other kinds of things that might need passwords (such as the GPG plugin). The only thing I can think of is to create a dummy server entry with a magic id like gpg and no username . It also does not look like there is any way to override DefaultSettingsDecrypter e.g. in a build extension to do something like integrate with a desktop keyring; I have asked on the dev list before about injecting a higher-priority alternative to a standard service and been told it was not possible.
          Hide
          SebbASF added a comment -

          On Windows at least, it's possible to use gpg-agent to prompt for the passphrase.
          It then caches it for a while.
          Signing is not generally something one needs to do every day, so IMO the overhead of providing the passphrase once in a session is worth the additional security.

          I think it's a mistake to allow other places where the passphrase can be saved, as it reduces the security.

          If a login password is compromised, it's quite easy to change the password.
          If a GPG passphrase is compromised, it's almost impossible to recover the situation, so much more care needs to be taken with the passphrase.

          Show
          SebbASF added a comment - On Windows at least, it's possible to use gpg-agent to prompt for the passphrase. It then caches it for a while. Signing is not generally something one needs to do every day, so IMO the overhead of providing the passphrase once in a session is worth the additional security. I think it's a mistake to allow other places where the passphrase can be saved, as it reduces the security. If a login password is compromised, it's quite easy to change the password. If a GPG passphrase is compromised, it's almost impossible to recover the situation, so much more care needs to be taken with the passphrase.
          Hide
          Dan Tran added a comment -

          I am going to add the option to auto look up the passphase under settings.xml when gpg passphase is not configured

          <server>
          <id>gpg.passphase</id>
          <passphrase>clear or maven encrypted text</passphrase>
          </server>

          Show
          Dan Tran added a comment - I am going to add the option to auto look up the passphase under settings.xml when gpg passphase is not configured <server> <id>gpg.passphase</id> <passphrase>clear or maven encrypted text</passphrase> </server>
          Hide
          Dan Tran added a comment -

          fixed at

          Revision: 1647942
          Author: dantran
          Date: Friday, December 26, 2014 12:20:15 AM
          Message:
          MGPG-31 Add ability to store passphase under settings.xml in clear or encrypted text


          Modified : /maven/plugins/trunk/maven-gpg-plugin/pom.xml
          Modified : /maven/plugins/trunk/maven-gpg-plugin/src/it/settings.xml
          Added : /maven/plugins/trunk/maven-gpg-plugin/src/it/sign-with-passphase-from-maven-settings
          Added : /maven/plugins/trunk/maven-gpg-plugin/src/it/sign-with-passphase-from-maven-settings/invoker.properties
          Added : /maven/plugins/trunk/maven-gpg-plugin/src/it/sign-with-passphase-from-maven-settings/pom.xml
          Added : /maven/plugins/trunk/maven-gpg-plugin/src/it/sign-with-passphase-from-maven-settings/verify.bsh
          Modified : /maven/plugins/trunk/maven-gpg-plugin/src/main/java/org/apache/maven/plugin/gpg/AbstractGpgMojo.java
          Added : /maven/plugins/trunk/maven-gpg-plugin/src/main/resources
          Added : /maven/plugins/trunk/maven-gpg-plugin/src/main/resources/META-INF
          Added : /maven/plugins/trunk/maven-gpg-plugin/src/main/resources/META-INF/plexus
          Added : /maven/plugins/trunk/maven-gpg-plugin/src/main/resources/META-INF/plexus/components.xml
          Modified : /maven/plugins/trunk/maven-gpg-plugin/src/site/apt/usage.apt.vm

          Show
          Dan Tran added a comment - fixed at Revision: 1647942 Author: dantran Date: Friday, December 26, 2014 12:20:15 AM Message: MGPG-31 Add ability to store passphase under settings.xml in clear or encrypted text Modified : /maven/plugins/trunk/maven-gpg-plugin/pom.xml Modified : /maven/plugins/trunk/maven-gpg-plugin/src/it/settings.xml Added : /maven/plugins/trunk/maven-gpg-plugin/src/it/sign-with-passphase-from-maven-settings Added : /maven/plugins/trunk/maven-gpg-plugin/src/it/sign-with-passphase-from-maven-settings/invoker.properties Added : /maven/plugins/trunk/maven-gpg-plugin/src/it/sign-with-passphase-from-maven-settings/pom.xml Added : /maven/plugins/trunk/maven-gpg-plugin/src/it/sign-with-passphase-from-maven-settings/verify.bsh Modified : /maven/plugins/trunk/maven-gpg-plugin/src/main/java/org/apache/maven/plugin/gpg/AbstractGpgMojo.java Added : /maven/plugins/trunk/maven-gpg-plugin/src/main/resources Added : /maven/plugins/trunk/maven-gpg-plugin/src/main/resources/META-INF Added : /maven/plugins/trunk/maven-gpg-plugin/src/main/resources/META-INF/plexus Added : /maven/plugins/trunk/maven-gpg-plugin/src/main/resources/META-INF/plexus/components.xml Modified : /maven/plugins/trunk/maven-gpg-plugin/src/site/apt/usage.apt.vm

            People

            • Assignee:
              Dan Tran
              Reporter:
              Jesse Glick
            • Votes:
              6 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: