Maven GPG Plugin
  1. Maven GPG Plugin
  2. MGPG-31

Integrate w/ Maven password encryption to avoid need to type passphrase

    Details

    • Type: Improvement Improvement
    • Status: Open Open
    • Priority: Minor Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.1
    • Fix Version/s: None
    • Environment:
      JDK 6u21, Ubuntu, Maven 3.0 RC1
    • Number of attachments :
      0

      Description

      It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:

          [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
          GPG Passphrase: *
      

      I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?

      Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.

        Issue Links

          Activity

          Hide
          Jesse Glick added a comment -

          Seems that I can pass -Dgpg.passphrase=... on the command line, but this is not ideal either (passphrase visible to ps, command history, ...).

          Show
          Jesse Glick added a comment - Seems that I can pass -Dgpg.passphrase=... on the command line, but this is not ideal either (passphrase visible to ps, command history, ...).
          Hide
          Jesse Glick added a comment -

          Seems to work to use http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017623.html to remove the passphrase from secring.gpg, move this file to an encrypted drive with a symlink from the original location, then add

                   <profile>
                      <id>gpg</id>
                      <activation>
                          <activeByDefault>true</activeByDefault>
                      </activation>
                      <properties>
                          <gpg.passphrase/>
                      </properties>
                  </profile>
          

          to settings.xml. But it would be nicer to have the Maven password encryption handle this.

          Show
          Jesse Glick added a comment - Seems to work to use http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017623.html to remove the passphrase from secring.gpg, move this file to an encrypted drive with a symlink from the original location, then add <profile> <id>gpg</id> <activation> <activeByDefault>true</activeByDefault> </activation> <properties> <gpg.passphrase/> </properties> </profile> to settings.xml. But it would be nicer to have the Maven password encryption handle this.
          Hide
          Stephen Connolly added a comment -

          The correct way to handle this is to use an agent ideally integrated with the OS.

          However, I have seen enough people who don't take the security of their GPG keys religiously. So just because there are people who think that the right thing is never to leave your passphrase on any disk in a reversible encryption, does not mean that we cannot support those who feel comfortable with the (hopefully educated) risk.

          If somebody has a patch with test cases...

          Show
          Stephen Connolly added a comment - The correct way to handle this is to use an agent ideally integrated with the OS. However, I have seen enough people who don't take the security of their GPG keys religiously. So just because there are people who think that the right thing is never to leave your passphrase on any disk in a reversible encryption, does not mean that we cannot support those who feel comfortable with the (hopefully educated) risk. If somebody has a patch with test cases...
          Hide
          Jesse Glick added a comment -

          In my setup the GPG passphrase is on a login-encrypted disk, just like the Maven master password. I would rather "use an agent integrated with the OS" for GPG as well as for all other purposes in Maven builds, but Maven does not currently integrate with the GNOME keyring.

          It is not clear that a fix is possible. SettingsDecryptionRequest hardcodes servers and proxies; there is no extension point for other kinds of things that might need passwords (such as the GPG plugin). The only thing I can think of is to create a dummy server entry with a magic id like gpg and no username.

          It also does not look like there is any way to override DefaultSettingsDecrypter e.g. in a build extension to do something like integrate with a desktop keyring; I have asked on the dev list before about injecting a higher-priority alternative to a standard service and been told it was not possible.

          Show
          Jesse Glick added a comment - In my setup the GPG passphrase is on a login-encrypted disk, just like the Maven master password. I would rather "use an agent integrated with the OS" for GPG as well as for all other purposes in Maven builds, but Maven does not currently integrate with the GNOME keyring. It is not clear that a fix is possible. SettingsDecryptionRequest hardcodes servers and proxies; there is no extension point for other kinds of things that might need passwords (such as the GPG plugin). The only thing I can think of is to create a dummy server entry with a magic id like gpg and no username . It also does not look like there is any way to override DefaultSettingsDecrypter e.g. in a build extension to do something like integrate with a desktop keyring; I have asked on the dev list before about injecting a higher-priority alternative to a standard service and been told it was not possible.
          Hide
          SebbASF added a comment -

          On Windows at least, it's possible to use gpg-agent to prompt for the passphrase.
          It then caches it for a while.
          Signing is not generally something one needs to do every day, so IMO the overhead of providing the passphrase once in a session is worth the additional security.

          I think it's a mistake to allow other places where the passphrase can be saved, as it reduces the security.

          If a login password is compromised, it's quite easy to change the password.
          If a GPG passphrase is compromised, it's almost impossible to recover the situation, so much more care needs to be taken with the passphrase.

          Show
          SebbASF added a comment - On Windows at least, it's possible to use gpg-agent to prompt for the passphrase. It then caches it for a while. Signing is not generally something one needs to do every day, so IMO the overhead of providing the passphrase once in a session is worth the additional security. I think it's a mistake to allow other places where the passphrase can be saved, as it reduces the security. If a login password is compromised, it's quite easy to change the password. If a GPG passphrase is compromised, it's almost impossible to recover the situation, so much more care needs to be taken with the passphrase.

            People

            • Assignee:
              Unassigned
              Reporter:
              Jesse Glick
            • Votes:
              6 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated: