[
https://issues.apache.org/jira/browse/MGPG-108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17823868#comment-17823868
]
ASF GitHub Bot commented on MGPG-108:
-------------------------------------
hboutemy commented on code in PR #77:
URL: https://github.com/apache/maven-gpg-plugin/pull/77#discussion_r1513878750
##########
src/site/apt/usage.apt.vm:
##########
@@ -60,27 +60,56 @@ Usage
</project>
+----------+
- Then you specify the passphrase on the command line. Like this:
+ Ideally, if invoked in interactive session, you should rely on gpg-agent to
+ collect passphrase, as in that way no secrets will enter terminal history nor
+ any file on disk. In non-interactive (batch) sessions, you should provide
+ passphrases via environment variable (see goals).
+
+ <<Note:>> When using the GPG Plugin in combination with the Maven Release
Plugin,
+ you should rely on environment variable, as Release plugin invokes build in
batch
+ mode, hence Signer will not be able to use gpg-agent to collect passphrase.
Review Comment:
FTR, last references on release plugin interaction with gpg and agent:
https://issues.apache.org/jira/browse/MRELEASE-1114
in that issue, pin entry (requires stdin) is cited vs agent (which AFAIK
should not need it)
> Update plugin site doco
> -----------------------
>
> Key: MGPG-108
> URL: https://issues.apache.org/jira/browse/MGPG-108
> Project: Maven GPG Plugin
> Issue Type: Task
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.2.0
>
>
> Document the latest changes, update examples.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
