using gpg signing with the release plugin - keeping your passphrase out of files

[Marshall Schor <ms...@schor.com>]

The release plugin uses gpg to generate signatures.

It runs maven while doing its work, as a "forked" process, but there is
a bug in the way it does this, which is that maven is run in
"interactive" mode, but there is no "console" attached to the forked
process.

If you leave out of your settings file, the property gpg.passphrase,
then the gpg plugin will ask for your passphrase; normally that works,
but in this case, because no console is attached, it hangs.

The first fix which worked, was to supply the gpg.passphrase in the
settings file.  This is a security exposure (if you forget to delete it
out of your file, etc.).

A better way (found via googling) is to set
<gpg.useagent>true</gpg.useagent> and then run with an agent.  To do
this, you need recent version of gpg (I found 1.4.10 doesn't work, but
the 2.0.14 version does).  Only the 2.x versions of GPG come with the
gpg-agent code. 

The way the agent works is:
1) the base gpg is passed a flag to use the agent
2) the base gpg looks in an environmental variable to find out info it
needs to connect to the agent process
3) the base gpg connects, and the agent then pops-up a dialog to the
user to enter the passphrase
4) from then on, things work without further user interaction.

I got a windows version from the main gpg site, ->
http://www.gpg4win.org/download.html

Then, to use, I started the agent in a command window of its own, and
then things worked.

-Marshall