PROBLEM
Given the following Maven settings.xml
:-
<?xml version="1.0"?>
<settings>
<profiles>
<profile>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<gpg.executable>/usr/local/bin/gpg</gpg.executable>
<gpg.passphrase>XXXXXXXXXXXXXXXXXX</gpg.passphrase>
</properties>
</profile>
</profiles>
</settings>
… and the following Maven GPG Plugin configuration in pom.xml
:-
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
</execution>
</executions>
</plugin>
When running mvn clean deploy
, you either get a prompt for you to enter the GPG passphrase:-
┌────────────────────────────────────────────────────────────────┐
│ Please enter the passphrase to unlock the OpenPGP secret key: │
│ "Shitty Author <[email protected]>" │
│ 2048-bit RSA key, ID 9F1A27DFE94D5473, │
│ created 2015-05-08. │
│ │
│ │
│ Passphrase: __________________________________________________ │
│ │
│ <OK> <Cancel> │
└────────────────────────────────────────────────────────────────┘
… or, get the following error:-
gpg: signing failed: No such file or directory
The long story short, Maven GPG Plugin isn’t using the passphrase defined in the Maven settings.xml
… AND THIS UPSETS THE HONEY BADGER!
SOLUTION
If you 1) initially had it working in the past, and 2) have tried all sorts of solutions from the web, and still couldn’t get it working, chances are you have unconsciously upgraded GPG version from 2.0 to 2.1.
You can check your GPG version by running the following command:-
✗ gpg --version
gpg (GnuPG) 2.1.21
libgcrypt 1.7.6
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/shitty-author/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
To fix this, GPG 2.1 requires --pinentry-mode
to be set to loopback
in order to pick up gpg.passphrase
value defined in Maven settings.xml
.
So, update Maven GPG Plugin configuration in pom.xml
to the following:-
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>1.6</version>
<executions>
<execution>
<id>sign-artifacts</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
<configuration>
<gpgArguments>
<arg>--pinentry-mode</arg>
<arg>loopback</arg>
</gpgArguments>
</configuration>
</execution>
</executions>
</plugin>
When re-running mvn clean deploy
, it should deploy the artifact properly now.
Leave a Reply