[
https://jira.codehaus.org/browse/MGPG-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=326674#comment-326674
]
SebbASF commented on MGPG-31:
-----------------------------
On Windows at least, it's possible to use gpg-agent to prompt for the
passphrase.
It then caches it for a while.
Signing is not generally something one needs to do every day, so IMO the
overhead of providing the passphrase once in a session is worth the additional
security.
I think it's a mistake to allow other places where the passphrase can be saved,
as it reduces the security.
If a login password is compromised, it's quite easy to change the password.
If a GPG passphrase is compromised, it's almost impossible to recover the
situation, so much more care needs to be taken with the passphrase.
> Integrate w/ Maven password encryption to avoid need to type passphrase
> -----------------------------------------------------------------------
>
> Key: MGPG-31
> URL: https://jira.codehaus.org/browse/MGPG-31
> Project: Maven 2.x and 3.x GPG Plugin
> Issue Type: Improvement
> Affects Versions: 1.1
> Environment: JDK 6u21, Ubuntu, Maven 3.0 RC1
> Reporter: Jesse Glick
> Priority: Minor
> Labels: contributers-welcome
>
> It is cumbersome to be prompted for a passphrase during both release:prepare
> and release:perform:
> {noformat}
> [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin
> ---
> GPG Passphrase: *
> {noformat}
> I already use http://maven.apache.org/guides/mini/guide-encryption.html (with
> a master password on an Ubuntu encrypted filesystem) so why do I need to type
> this pass phrase each time too?
> Not clear to me whether MGPG-30 already permits this. In any event, the
> plugin documentation does not seem to mention this as a use case.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
