使用Maven版本插件时避免gpg签名提示 [英] Avoid gpg signing prompt when using Maven release plugin

问题描述

我有一个要配置为使用Maven版本插件的Maven项目.发行过程的一部分是使用Maven GPG插件对工件进行签名，这需要GPG签名密钥密码短语才能成功.由于这些构建需要在非交互式环境中可运行，因此(CI-Server)这些参数以

I've got a Maven project that I'm trying to configure to use the maven release plugin. Part of the release process is to use the Maven GPG Plugin to sign artifacts which requires among other things, the GPG signing key passphrase to succeed. Because these builds need to be runnable in a non interactive environment, (CI-Server) these params are passed in as arguments to maven in the form of

-Dgpg.passphrase=XXX

对于快照构建，一切正常. Maven GPG插件看到了传入的密码，按预期方式构建，签名和部署了构件，但是，当我尝试使用发布插件时，系统提示您输入gpg签名密钥密码.我已经通读了关于类似问题的一些讨论，这些讨论源于发行插件，该分支派生了另一个Maven调用，该调用未收到传入的params.最受欢迎的修复方法似乎是使用"arguments"参数，如下所示:

For snapshot builds everything works fine; the Maven GPG Plugin sees the passed in passphrase, artifacts are built, signed and deployed as expected, however, when I try to use the release plugin I get prompted for the gpg signing key password. I've read through several discussions on similar issues that stem from the release plugin forking another invocation of maven which does not receive the passed in params. The most popular fix seems to be to use the "arguments" parameter like this:

-Darguments="-Dgpg.passphrase=XXX"

应该将其传递给派生实例，但不幸的是，这并没有消除提示.

Supposedly this gets passed to the forked instance but unfortunately for me it's not getting rid of the prompt.

因为签署构件不是将发布构件部署到公共Maven仓库的不常见先决条件，并且大概大多数产生这些构件的实体都使用某种形式的CI，所以我无法想象我是唯一遇到此问题的人.有人找到解决方法了吗?

Since signing artifacts is not an uncommon prerequisite for deploying release artifacts to public maven repos and presumably most entities producing those artifacts are using some form of CI I can't imagine I'm the only person who has encountered this problem. Has anybody found a workaround?

关于接受的答案的提示:

可接受的解决方案将不适用于Maven 3.0-3.0.3和3.0.3，恰好是在OSX Mountain Lion上默认情况下随Java一起安装的. 请参阅此处以了解详细信息.您需要升级到3.0.4.

The accepted solution will -not- work with Maven 3.0 - 3.0.3 and 3.0.3 just so happens to be what installs by default with java on OSX Mountain Lion. See here for the details. You'll need to upgrade to 3.0.4.

推荐答案

只需在settings.xml的配置文件中对其进行设置，并默认将其激活:

Just set it up in a profile in settings.xml and activate it by default:

<settings>
  <profiles>
    <profile>
      <id>gpg</id>
      <properties>
        <gpg.executable>gpg2</gpg.executable>
        <gpg.passphrase>mypassphrase</gpg.passphrase>
      </properties>
    </profile>
  </profiles>
  <activeProfiles>
    <activeProfile>gpg</activeProfile>
  </activeProfiles>
</settings>

如您所见，您可以使用任何属性来执行此操作.例如还有jarsigner插件的其他用户名和密码，等等.

As you can see you can do that with any property .. e.g. also other usernames and passwords for the jarsigner plugin and so on.

这应该一直处于活动状态.这可能取决于使用较新的Maven版本，但是您始终可以使用以下方法进行调试

This should be always active. It might depend on using a newer Maven version but you can always debug this with

mvn help:active-profiles

加密密码

评论和其他答案指出，将密码保存在文件中并不安全...在一定程度上是正确的，但是幸运的是，Maven通过创建一个主密码然后加密所有密码来使我们非常安全.密码在settings.xml中.

The comments and other answers are pointing out that keeping passwords in a file is not secure... This is true to an extent, but luckily Maven allows us to make this very secure by creating one master password and then encrypting all the passwords in settings.xml with it.

有关详细信息，请参阅迷你指南密码加密.

Have a look at the mini guide Password Encryption for details.

这篇关于使用Maven版本插件时避免gpg签名提示的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！