On 27 Feb 07, at 12:57 PM 27 Feb 07, Daniel Kulp wrote:
I'm working on fixing the issues in the gpg plugin. I just
committed some
changes but would like a bit of discussion before finalizing some
of it.
MGPG-2 - Allow the selection of a particular signature
I added a keyname parameter (-Dkeyname=foo) etc... which can be
used. It
maps directly to the gpg --local-user flag. That should solve
that one.
Something we're trying to practice is namespace usage in parameters
so use
-Dgpg.keyname
So that other plugins that might use "keyname" can do the same and
not cause a collision.
MGPG-1 - Prompt for pass phrase if it is not supplied
This one is a bit nasty. I basically have done two changes:
1) made passphrase non-required. If passphrase is not specified,
gpg will
automatically ask for it. We really don't have to do anything. The
DOWNSIDE is gpg will ask for it for every artifact it signs.
That kind of sucks but as long as that's not the default, that's fine.
2) I've added a useAgent parameter (default to false, should that
be true?)
to pass the --use-agent of --no-use-agent flag to gpg. The agent
can ask
for the passphrase and cache it (outside of maven) so it only is
asked for
once. (this solves my use case of NO passphrase stored on disk
anywhere,
plaintext or not, yet still only ask once)
As long as there are agents usable on every platform I have no
problem making this the default and getting people to install an
agent. Good practice to follow.
The questions I have are:
1) Is allowing GPG to ask for the passphrase for every artifact
acceptable?
No.
If not, we'll need to ask ahead of time and cache it. However, what
happens in multi-module builds? Where can we store it so we don't
have
to ask again? (I suppose we could abuse System.setProperty(...) or
something. Ick.)
No system properties, bad bad bad.
You can probably store it in the MavenProject.properties.
2) The comment on MGPG-1 says "the plugin should detect that Maven is
running in batch mode, and not prompt in that case". In that case,
what's supposed to happen? gpg really needs a passphrase.
Should it
fail? Should it just not sign anything?
If you store it in the properties then you can check and use that
value if it's there.
jason.
Thanks!
--
J. Daniel Kulp
Principal Engineer
IONA
P: 781-902-8727 C: 508-380-7194
[EMAIL PROTECTED]
http://www.dankulp.com/blog
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
