[
https://issues.apache.org/jira/browse/MGPG-108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823802#comment-17823802
]
ASF GitHub Bot commented on MGPG-108:
-------------------------------------
hboutemy commented on code in PR #77:
URL: https://github.com/apache/maven-gpg-plugin/pull/77#discussion_r1513632184
##########
src/site/apt/usage.apt.vm:
##########
@@ -60,27 +60,56 @@ Usage
</project>
+----------+
- Then you specify the passphrase on the command line. Like this:
+ Ideally, if invoked in interactive session, you should rely on gpg-agent to
+ collect passphrase, as in that way no secrets will enter terminal history nor
+ any file on disk. In non-interactive (batch) sessions, you should provide
+ passphrases via environment variable (see goals).
+
+ <<Note:>> When using the GPG Plugin in combination with the Maven Release
Plugin,
+ you should rely on environment variable, as Release plugin invokes build in
batch
+ mode, hence Signer will not be able to use gpg-agent to collect passphrase.
Review Comment:
this is what I seriously dislike and will cause much frustration against
release plugin: we need the agent if the release is launched in interactive mode
I understand that batch mode means no stdin: but many agents are not stdin
but graphical, disconnected from stdin, isn't it?
> Update plugin site doco
> -----------------------
>
> Key: MGPG-108
> URL: https://issues.apache.org/jira/browse/MGPG-108
> Project: Maven GPG Plugin
> Issue Type: Task
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.2.0
>
>
> Document the latest changes, update examples.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
