hboutemy commented on code in PR #77: URL: https://github.com/apache/maven-gpg-plugin/pull/77#discussion_r1513878750
########## src/site/apt/usage.apt.vm: ########## @@ -60,27 +60,56 @@ Usage </project> +----------+ - Then you specify the passphrase on the command line. Like this: + Ideally, if invoked in interactive session, you should rely on gpg-agent to + collect passphrase, as in that way no secrets will enter terminal history nor + any file on disk. In non-interactive (batch) sessions, you should provide + passphrases via environment variable (see goals). + + <<Note:>> When using the GPG Plugin in combination with the Maven Release Plugin, + you should rely on environment variable, as Release plugin invokes build in batch + mode, hence Signer will not be able to use gpg-agent to collect passphrase. Review Comment: FTR, last references on release plugin interaction with gpg and agent: https://issues.apache.org/jira/browse/MRELEASE-1114 in that issue, pin entry (requires stdin) is cited vs agent (which AFAIK should not need it) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
