如何选择maven-gpg-plugin用于签署工件的GnuPG密钥？ [英] How to select the GnuPG key that the maven-gpg-plugin uses to sign artifacts?

问题描述

我正在使用maven-gpg-plugin来签署maven工件。这很好用，但是我的GnuPG密钥环中有几个键，想要使用与GnuPG选择不同的键。

I am using the maven-gpg-plugin to sign the maven artifacts. This works fine, but I have several keys in my GnuPG keyring and want to use a different one than the one GnuPG selects.

1. 如果有几个键，GnuPG如何选择默认键？

1. How does GnuPG select the "default" key if there are several ones?

是否有可能指定maven-gpg中使用的键-plugin配置？似乎 keyname 不起作用（我假设它选择了密钥环，但没有选择特定的密钥）。

Is there a possibility to specify the key to be used in the maven-gpg-plugin configuration? It seems that keyname doesn't work (I assume it selects the keyring, but not a specific key).

推荐答案

如果有多个密钥，GPG如何选择默认密钥？

How does GPG select the "default" key if there are several ones?

GnuPG默认选择密钥密钥环中的第一个密钥，如果没有另外定义（例如，使用 default-key 选项）。从 man gpg ：

GnuPG by default chooses the first key in the secret keyring, if not defined otherwise (for example, using the default-key option). From man gpg:

--default-key name

    Use name as the default key to sign with. If this option is not used,
    the default key is the first key found in the secret keyring. Note 
    that -u or --local-user overrides this option. 

是否有可能指定要在maven中使用的密钥-gpg-plugin配置？似乎keyname不起作用（我假设它选择了密钥环，但不是特定的密钥）。

Is there a possibility to specify the key to be used in the maven-gpg-plugin configuration? It seems that "keyname" doesn't work (I assume it selects the keyring, but not a specific key).

如果你不希望让GnuPG自动决定使用哪个密钥，< keyname> [keyname]< / keyname> 选择要使用的密钥。我希望它作为 local-key 选项传递，因此它应该支持短和长密钥ID，指纹和用户ID。 GnuPG手册包含指定密钥的方法列表。

If you do not want to have GnuPG decide automatically which key to use, <keyname>[keyname]</keyname> selects to key to be used. I expect this is passed as the local-key option, so it should support short and long key IDs, fingerprints and user IDs. The GnuPG manual contains a list of ways to specify keys.

大多数描述如何指定密钥的手册都使用短密钥ID，我强烈建议不要这样做因为碰撞攻击，而是使用整个指纹。

Most manuals describing how to specify keys here use the short key ID, which I strongly recommend not to do so because of collision attacks, and using the whole fingerprint instead.

还有其他选项可以更改键的选择。有关更多详细信息，请参阅 Maven GnuPG插件手册关于个别选项：

There are further options to change the selection of keys. Refer to the Maven GnuPG plugin manual for more details on the individual options:

• 使用 secretKeyring


• 选择使用 的专用GnuPG主目录homedir


• 使用 local-user 选项传递给GnuPG https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#gpgArgumentsrel =nofollow noreferrer> gpgArguments

• Selecting a dedicated keyring using secretKeyring
• Selecting a dedicated GnuPG home directory using homedir
• Passing the local-user option to GnuPG using gpgArguments

这篇关于如何选择maven-gpg-plugin用于签署工件的GnuPG密钥？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！