[jira] [Comment Edited] (MGPG-137) Un-deprecate passphraseServerId

Tamas Cservenak (Jira) Tue, 24 Sep 2024 04:03:07 -0700


    [ 
https://issues.apache.org/jira/browse/MGPG-137?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17884224#comment-17884224
 ]


Tamas Cservenak edited comment on MGPG-137 at 9/24/24 11:02 AM:
----------------------------------------------------------------

BC signer was basically added for CI use case, to solve the misery of signing 
(skip things like installation of gpg, then you need to add key to it, make 
passphrase in settings/properties, yada yada). BC does super simple "headless" 
signing (supply the signing key and passphrase as env variables! So both may be 
"secrets" in case of GH).

On the other hand, on dev workstations (like when we release ASF projects), 
signing should use existing GPG environment of user, that includes working GPG 
Agent as well, and Agent will be used to ask user for passphrase, in a secure 
manner. Again, no need to save to disk anything in this use case.


was (Author: cstamas):
BC signer was basically added for CI use case, to solve the misery of signing 
(skip things like installation of gpg, then you need to add key to it, make 
passphrase in settings/properties, yada yada). BC does super simple "headless" 
signing (supply the signing key and passphrase as env variables! So as 
"secrets" in case of GH).

On the other hand, on dev workstations (like when we release ASF projects), 
signing should use existing GPG environment of user, that includes working GPG 
Agent as well, and Agent will be used to ask user for passphrase, in a secure 
manner. Again, no need to save to disk anything in this use case.

> Un-deprecate passphraseServerId
> -------------------------------
>
>                 Key: MGPG-137
>                 URL: https://issues.apache.org/jira/browse/MGPG-137
>             Project: Maven GPG Plugin
>          Issue Type: Bug
>    Affects Versions: 3.2.5
>            Reporter: Lenny Primak
>            Priority: Major
>
> IMHO this parameter has been deprecated in error.
> It is used to referenced the "server" field in settings.xml, where 
> passphrases are stored in an encrypted fashion. This is actually safer than 
> setting clear-text passwords in environment variables in practice.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Comment Edited] (MGPG-137) Un-deprecate passphraseServerId

Reply via email to