[
https://issues.apache.org/jira/browse/MGPG-105?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17824479#comment-17824479
]
ASF GitHub Bot commented on MGPG-105:
-------------------------------------
gnodet commented on code in PR #77:
URL: https://github.com/apache/maven-gpg-plugin/pull/77#discussion_r1516523193
##########
src/main/java/org/apache/maven/plugins/gpg/AbstractGpgMojo.java:
##########
@@ -138,23 +144,22 @@ public abstract class AbstractGpgMojo extends
AbstractMojo {
private String keyname;
/**
- * GPG Signer only: Passes <code>--use-agent</code> or
<code>--no-use-agent</code> to gpg. If using an agent, the
- * passphrase is optional as the agent will provide it. For gpg2, specify
true as --no-use-agent was removed in
- * gpg2 and doesn't ask for a passphrase anymore. Deprecated, and better
to rely on session "interactive" setting
- * (if interactive, agent will be used, otherwise not).
- *
- * @deprecated
+ * All signers: whether gpg-agent is allowed to be used or not. If
enabled, passphrase is optional, as agent may
+ * provide it. Have to be noted, that in "batch" mode, gpg-agent will be
prevented to pop up pinentry
+ * dialogue, hence best is to "prime" the agent caches beforehand.
+ * <p>
+ * GPG Signer: Passes <code>--use-agent</code> or
<code>--no-use-agent</code> option to gpg if it is version 2.1
+ * or older. Otherwise, will use an agent. In non-interactive mode gpg
options are appended with
+ * <code>--pinentry-mode error</code>, preventing gpg agent to pop up
pinentry dialogue. Agent will be able to
+ * hand over only cached passwords.
+ * <p>
+ * BC Signer: Allows signer to communicate with gpg agent. In
non-interactive mode it uses
+ * <code>--no-ask</code> option with the <code>GET_PASSPHRASE</code>
function. Agent will be able to hand over
+ * only cached passwords.
*/
- @Deprecated
@Parameter(property = "gpg.useagent", defaultValue = "true")
private boolean useAgent;
- /**
- * Detect is session interactive or not.
- */
- @Parameter(defaultValue = "${settings.interactiveMode}", readonly = true)
- private boolean interactive;
Review Comment:
Ok, written like that, that clearly looks silly. I forgot that the settings
was the one holding this bit, I thought it was on session.
> Stop propagating bad practices; but allow for "compat mode"
> -----------------------------------------------------------
>
> Key: MGPG-105
> URL: https://issues.apache.org/jira/browse/MGPG-105
> Project: Maven GPG Plugin
> Issue Type: Improvement
> Reporter: Tamas Cservenak
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.2.0
>
>
> Storing any kind of "password-like" things on disk in files is bad (and no,
> SecDispatcher IS a joke).
> Passphrase should be acquired only by two means:
> * using gpg-agent (when on workstation locally) either to show pop up to ask
> for pw and just ask it non-interactively fow cached password
> * using env variables (when on CI where they are set up as "secrets") to go
> fully off gpg-agent,
> -Plugin should in fact FAIL to warn user about presence of any secrets in
> settings/properties/projects. That is wrong way.-
> This last stance has been softened (to provide full backward compatibility):
> by default, plugin goes into "compat mode", will not fail if those above
> violated. Still, introduced {{bestPractice}} configuration that IF set to
> {{true}} makes plugin safe, and will fail if these principles are violated.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
