setup-java icon indicating copy to clipboard operation
setup-java copied to clipboard
verified publisher icon actions

Update how passphrase is passed to GPG

Open cowwoc opened this issue 10 months ago • 2 comments

Description: Per https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#passphraseenvname the mechanism currently used by this task is deprecated. This is reenforced by the fact that https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#passphrase will fail if <bestPractices> is true.

The recommended way to pass the passphrase is now https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html#passphraseEnvName

Task version: v4

Expected behavior:

  • Stop writing gpg.passphrase to server.xml.
  • Set gpg.passphraseEnvName if the user specifies a value other than MAVEN_GPG_PASSPHRASE

cowwoc avatar Mar 03 '25 19:03 cowwoc

Hello @cowwoc👋, Thank you for reporting this issue. We will investigate it and get back to you as soon as we have some feedback.

priya-kinthali avatar Mar 04 '25 03:03 priya-kinthali

Hi @cowwoc 👋, Thank you for your valuable insights! We’ll explore the possibility of implementing these changes to enhance the action and consider your suggestion for future improvements. In the meantime, please feel free to share any additional details or suggestions you may have!

priyagupta108 avatar Mar 11 '25 10:03 priyagupta108