hboutemy commented on code in PR #77: URL: https://github.com/apache/maven-gpg-plugin/pull/77#discussion_r1513632184
########## src/site/apt/usage.apt.vm: ########## @@ -60,27 +60,56 @@ Usage </project> +----------+ - Then you specify the passphrase on the command line. Like this: + Ideally, if invoked in interactive session, you should rely on gpg-agent to + collect passphrase, as in that way no secrets will enter terminal history nor + any file on disk. In non-interactive (batch) sessions, you should provide + passphrases via environment variable (see goals). + + <<Note:>> When using the GPG Plugin in combination with the Maven Release Plugin, + you should rely on environment variable, as Release plugin invokes build in batch + mode, hence Signer will not be able to use gpg-agent to collect passphrase. Review Comment: this is what I seriously dislike and will cause much frustration against release plugin: we need the agent if the release is launched in interactive mode I understand that batch mode means no stdin: but many agents are not stdin but graphical, disconnected from stdin, isn't it? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
