With the next release of Maven the current maven-gpg-plugin will become useless. With the build//consumer pom, the local pom will be different compared to the uploaded pom. However, the maven-gpg-plugin now uses the pom.xml of the local project. (btw, the plugin uses the gpg commandline with a bunch of arguments. The stdio is used for passing the passphrase, you cannot stream the file via commandline)
In Maven 3.6.x changes have been made to support InputStream next to File. This way we don't have to create a backdoor of writing a temporary file, which is likely to cause issues with very creative plugin/extension writers. Instead we should do in memory signing. It would make sense to introduce a new plugin, and during a discussion with the PMC the idea of maven-sign-plugin was proposed (a much better alternative campared to maven-gpg2-plugin) Dennis Lundberg started a POC based on Apache Common OpenGPG, however, it is still in the sandbox[1] Olivier Lamy already discovered that signing doesn't work with the current Maven 3.7.0-SNAPSHOT. Before we can even start thinking of an alpha-release, this issue must be fixed, because signing is a critical step for sharing artifacts. I'm still struggling with MNG-6957, but in parallel a few should be able implement this. Anybody willing to make this work? thanks, Robert [1] http://commons.apache.org/sandbox/commons-openpgp/ [http://commons.apache.org/sandbox/commons-openpgp/]
