Figure out deployment using new GPG plugin version 3.2.0

[sleberknight]

Initially I received a "bad passphrase" error and a warning that a secret was on disk. This is 100% not true as my settings.xml file contains this profile:

        <profile>
            <id>ossrh</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <gpg.executable>gpg</gpg.executable>
                <gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
            </properties>
        </profile>

Clearly the new version 3.2.0 thinks one thing but the reality is a bit different. ${env.GPG_PASSPHRASE} is clearly not an actual passphrase.

And their docs were not helpful.

References:

• Stop propagating bad practices; but allow for "compat mode"
• Release Notes - Maven GPG Plugin - Version 3.2.0
• GPG Plugin - Introduction
• GPG Plugin - Usage
• GPG Plugin - Deploy Signed Artifacts
• Upgrading from 3.1.0 to 3.2.0 with no other changes causes "gpg: signing failed: No pinentry"

[sleberknight]

I did some local testing just doing mvn verify -Prelease to generate the artifacts and get the GPG plugin to sign them.

I was able to get it to work by:

1. Removing <gpg.passphrase> from my settings.xml
2. "Priming" the gpg agent as described in the plugin's usage documentation

Here is the relevant text from the usage page:

To prime gpg-agent caches, one can perform simple "sign" operation on workstation like this echo "test" | gpg --clearsign

After doing this, the maven-gpg-plugin worked. So, even though this additional step is slightly annoying (especially since I never had an actual secret in settings.xml), it should be safe to update the GPG plugin now.

If interested, also see the gpg man page for a description of the --clearsign option.