You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Jesse Glick (JIRA)" <ji...@codehaus.org> on 2010/09/22 19:12:32 UTC
[jira] Created: (MGPG-31) Integrate w/ Maven password encryption to
avoid need to type passphrase
Integrate w/ Maven password encryption to avoid need to type passphrase
-----------------------------------------------------------------------
Key: MGPG-31
URL: http://jira.codehaus.org/browse/MGPG-31
Project: Maven 2.x GPG Plugin
Issue Type: Improvement
Affects Versions: 1.1
Environment: JDK 6u21, Ubuntu, Maven 3.0 RC1
Reporter: Jesse Glick
Priority: Minor
It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:
{noformat}
[INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
GPG Passphrase: *
{noformat}
I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?
Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MGPG-31) Integrate w/ Maven password encryption to
avoid need to type passphrase
Posted by "Stephen Connolly (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MGPG-31?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephen Connolly updated MGPG-31:
---------------------------------
Labels: contributers-welcome (was: )
> Integrate w/ Maven password encryption to avoid need to type passphrase
> -----------------------------------------------------------------------
>
> Key: MGPG-31
> URL: https://jira.codehaus.org/browse/MGPG-31
> Project: Maven 2.x GPG Plugin
> Issue Type: Improvement
> Affects Versions: 1.1
> Environment: JDK 6u21, Ubuntu, Maven 3.0 RC1
> Reporter: Jesse Glick
> Priority: Minor
> Labels: contributers-welcome
> Fix For: 1.4
>
>
> It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:
> {noformat}
> [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
> GPG Passphrase: *
> {noformat}
> I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?
> Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MGPG-31) Integrate w/ Maven password encryption
to avoid need to type passphrase
Posted by "Jesse Glick (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MGPG-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=237423#action_237423 ]
Jesse Glick commented on MGPG-31:
---------------------------------
Seems to work to use http://lists.gnupg.org/pipermail/gnupg-users/2003-April/017623.html to remove the passphrase from secring.gpg, move this file to an encrypted drive with a symlink from the original location, then add
{noformat}
<profile>
<id>gpg</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<gpg.passphrase/>
</properties>
</profile>
{noformat}
to settings.xml. But it would be nicer to have the Maven password encryption handle this.
> Integrate w/ Maven password encryption to avoid need to type passphrase
> -----------------------------------------------------------------------
>
> Key: MGPG-31
> URL: http://jira.codehaus.org/browse/MGPG-31
> Project: Maven 2.x GPG Plugin
> Issue Type: Improvement
> Affects Versions: 1.1
> Environment: JDK 6u21, Ubuntu, Maven 3.0 RC1
> Reporter: Jesse Glick
> Priority: Minor
>
> It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:
> {noformat}
> [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
> GPG Passphrase: *
> {noformat}
> I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?
> Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MGPG-31) Integrate w/ Maven password encryption to
avoid need to type passphrase
Posted by "Stephen Connolly (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MGPG-31?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephen Connolly updated MGPG-31:
---------------------------------
Fix Version/s: (was: 1.4)
> Integrate w/ Maven password encryption to avoid need to type passphrase
> -----------------------------------------------------------------------
>
> Key: MGPG-31
> URL: https://jira.codehaus.org/browse/MGPG-31
> Project: Maven 2.x GPG Plugin
> Issue Type: Improvement
> Affects Versions: 1.1
> Environment: JDK 6u21, Ubuntu, Maven 3.0 RC1
> Reporter: Jesse Glick
> Priority: Minor
> Labels: contributers-welcome
>
> It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:
> {noformat}
> [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
> GPG Passphrase: *
> {noformat}
> I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?
> Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MGPG-31) Integrate w/ Maven password encryption
to avoid need to type passphrase
Posted by "Jesse Glick (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MGPG-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=276722#comment-276722 ]
Jesse Glick commented on MGPG-31:
---------------------------------
In my setup the GPG passphrase is on a login-encrypted disk, just like the Maven master password. I would rather "use an agent integrated with the OS" for GPG as well as for all other purposes in Maven builds, but Maven does not currently integrate with the GNOME keyring.
It is not clear that a fix is possible. {{SettingsDecryptionRequest}} hardcodes servers and proxies; there is no extension point for other kinds of things that might need passwords (such as the GPG plugin). The only thing I can think of is to create a dummy {{server}} entry with a magic {{id}} like {{gpg}} and no {{username}}.
It also does not look like there is any way to override {{DefaultSettingsDecrypter}} e.g. in a build extension to do something like integrate with a desktop keyring; I have asked on the dev list before about injecting a higher-priority alternative to a standard service and been told it was not possible.
> Integrate w/ Maven password encryption to avoid need to type passphrase
> -----------------------------------------------------------------------
>
> Key: MGPG-31
> URL: https://jira.codehaus.org/browse/MGPG-31
> Project: Maven 2.x and 3.x GPG Plugin
> Issue Type: Improvement
> Affects Versions: 1.1
> Environment: JDK 6u21, Ubuntu, Maven 3.0 RC1
> Reporter: Jesse Glick
> Priority: Minor
> Labels: contributers-welcome
>
> It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:
> {noformat}
> [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
> GPG Passphrase: *
> {noformat}
> I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?
> Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Commented: (MGPG-31) Integrate w/ Maven password encryption
to avoid need to type passphrase
Posted by "Stephen Connolly (JIRA)" <ji...@codehaus.org>.
[ https://jira.codehaus.org/browse/MGPG-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=276634#comment-276634 ]
Stephen Connolly commented on MGPG-31:
--------------------------------------
The correct way to handle this is to use an agent ideally integrated with the OS.
However, I have seen enough people who don't take the security of their GPG keys religiously. So just because there are people who think that the right thing is never to leave your passphrase on any disk in a reversible encryption, does not mean that we cannot support those who feel comfortable with the (hopefully educated) risk.
If somebody has a patch with test cases...
> Integrate w/ Maven password encryption to avoid need to type passphrase
> -----------------------------------------------------------------------
>
> Key: MGPG-31
> URL: https://jira.codehaus.org/browse/MGPG-31
> Project: Maven 2.x GPG Plugin
> Issue Type: Improvement
> Affects Versions: 1.1
> Environment: JDK 6u21, Ubuntu, Maven 3.0 RC1
> Reporter: Jesse Glick
> Priority: Minor
> Labels: contributers-welcome
> Fix For: 1.4
>
>
> It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:
> {noformat}
> [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
> GPG Passphrase: *
> {noformat}
> I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?
> Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MGPG-31) Integrate w/ Maven password encryption to
avoid need to type passphrase
Posted by "Dennis Lundberg (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MGPG-31?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Dennis Lundberg updated MGPG-31:
--------------------------------
Fix Version/s: 1.3
> Integrate w/ Maven password encryption to avoid need to type passphrase
> -----------------------------------------------------------------------
>
> Key: MGPG-31
> URL: http://jira.codehaus.org/browse/MGPG-31
> Project: Maven 2.x GPG Plugin
> Issue Type: Improvement
> Affects Versions: 1.1
> Environment: JDK 6u21, Ubuntu, Maven 3.0 RC1
> Reporter: Jesse Glick
> Priority: Minor
> Fix For: 1.3
>
>
> It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:
> {noformat}
> [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
> GPG Passphrase: *
> {noformat}
> I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?
> Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (MGPG-31) Integrate w/ Maven password encryption to
avoid need to type passphrase
Posted by "Stephen Connolly (JIRA)" <ji...@codehaus.org>.
[ http://jira.codehaus.org/browse/MGPG-31?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stephen Connolly updated MGPG-31:
---------------------------------
Fix Version/s: (was: 1.3)
1.4
> Integrate w/ Maven password encryption to avoid need to type passphrase
> -----------------------------------------------------------------------
>
> Key: MGPG-31
> URL: http://jira.codehaus.org/browse/MGPG-31
> Project: Maven 2.x GPG Plugin
> Issue Type: Improvement
> Affects Versions: 1.1
> Environment: JDK 6u21, Ubuntu, Maven 3.0 RC1
> Reporter: Jesse Glick
> Priority: Minor
> Fix For: 1.4
>
>
> It is cumbersome to be prompted for a passphrase during both release:prepare and release:perform:
> {noformat}
> [INFO] --- maven-gpg-plugin:1.1:sign (sign-artifacts) @ nbm-maven-plugin ---
> GPG Passphrase: *
> {noformat}
> I already use http://maven.apache.org/guides/mini/guide-encryption.html (with a master password on an Ubuntu encrypted filesystem) so why do I need to type this pass phrase each time too?
> Not clear to me whether MGPG-30 already permits this. In any event, the plugin documentation does not seem to mention this as a use case.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira