Friday, October 18, 2013

Signing maven releases with gpg while keeping your passphrase secure

On the road towards putting sample code into Maven Central I stumbled at GPG signatures of my artifacts. The problem was how to handle my passphrase.

The recommended solutions (one source of many) all had shortcomings:

  • Prompting for your passphrase is often unuseful and is broken when running maven in Cygwin.
  • Putting your passphrase on the command-line is visible to ps and is saved in history.
  • Putting your passphrase into {{settings.xml}} leaves it on disk.
  • Putting your passphrase on removable media and linking to it in {{settings.xml}} is awkward.
  • Using a gpg agent would be best, but I did get everything hooked up right; I should investigate further.
  • I will not even entertain removing the passphrase from my secrets just to satisfy maven.

A little think and some trial and error led me to:

  1. In pom.xml enable maven-pgp-plugin and configure maven-release-plugin:
  2. In settings.xml add a profile:
  3. Write a small helper shell script:
    read -er -p 'Passphrase: ' gpg_passphrase
    echo # Get back newline
    GPG_PASSPHRASE="$gpg_passphrase" exec "$@"

The key observation is that environment variables are private to the process, in memory and transient. I invoke thus:

$ ./rls mvn clean verify
[INFO] Scanning for projects...
Post a Comment