[
https://issues.apache.org/jira/browse/MGPG-112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17827425#comment-17827425
]
Tamas Cservenak commented on MGPG-112:
--------------------------------------
In general, yes. I'd recommend this:
* on workstation (like ASF releases are done), using GnuPG is recommended (w/
all your keys being installed in your home)
* on CI-like env I'd really NOT recommend installing private keys, instead,
use BC signer and provide key/pass via env variables
> Upgrading from 3.1.0 to 3.2.0 with no other changes causes "gpg: signing
> failed: No pinentry"
> ---------------------------------------------------------------------------------------------
>
> Key: MGPG-112
> URL: https://issues.apache.org/jira/browse/MGPG-112
> Project: Maven GPG Plugin
> Issue Type: Bug
> Affects Versions: 3.2.0
> Environment: GitHub actions, using ubuntu-22.04 (Ubuntu 22.04 LTS)
> image. Full details can be found in the linked logs in Description.
> Reporter: Harald Kuhr
> Assignee: Tamas Cservenak
> Priority: Major
> Fix For: 3.2.1
>
>
> After upgrading to Maven GPG plugin from 3.1.0 to 3.20, the Deploy step of my
> projects CI failed with the message "gpg: signing failed: No pinentry".
>
> After upgrade to 3.2.0, the deploy step fails the build, while the relevant
> part of the log says:
>
> {noformat}
> [INFO] --- maven-gpg-plugin:3.2.0:sign (sign-artifacts) @ twelvemonkeys ---
> [INFO] Signer 'gpg' is signing 2 files
> gpg: signing failed: No pinentry
> gpg: signing failed: No pinentry
> ...
> Error: Failed to execute goal
> org.apache.maven.plugins:maven-gpg-plugin:3.2.0:sign (sign-artifacts) on
> project twelvemonkeys: Exit code: 2 -> [Help 1]{noformat}
>
> After reverting to the working 3.1.0, build and deploy succeeds, the relevant
> part of the log says:
>
> {noformat}
> [INFO] --- maven-gpg-plugin:3.1.0:sign (sign-artifacts) @ twelvemonkeys ---
> [INFO] Signing 2 files with default secret key.
> ...
> [INFO] BUILD SUCCESS
> {noformat}
>
> Is this an expected/intended behavior with the 3.2.0 release, and does the
> plugin need additional/different configuration? If this is the case, can you
> provide suggestions or workarounds to get the signing working again?
> As this is a minor version change, I suspect this is a bug/regression and not
> intended. I don't find anything in the release notes suggesting a
> configuration change is required.
> Plugin configuration (private key and passphrase is passed using GHA secrets):
>
> {noformat}
> <plugin>
> <groupId>org.apache.maven.plugins</groupId>
> <artifactId>maven-gpg-plugin</artifactId>
> <version>3.1.0</version> <!-- fails with 3.2.0 -->
> <configuration>
> <!-- Prevent gpg from using pinentry programs -->
> <gpgArguments>
> <arg>--pinentry-mode</arg>
> <arg>loopback</arg>
> </gpgArguments>
> </configuration>
> <executions>
> <execution>
> <id>sign-artifacts</id>
> <phase>verify</phase>
> <goals>
> <goal>sign</goal>
> </goals>
> </execution>
> </executions>
> </plugin>{noformat}
>
> Full POM for the build:
> [https://github.com/haraldk/TwelveMonkeys/blob/878d6217d8538f05205c092c7230c8db6727d058/pom.xml]
>
> Full logs from broken build (Dependabot PR bump 3.1.0 to 3.2.0):
> [https://github.com/haraldk/TwelveMonkeys/actions/runs/8230467333/job/22504202895]
>
> Full logs from working build (reverted to 3.1.0):
> [https://github.com/haraldk/TwelveMonkeys/actions/runs/8230663423/job/22504567422]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
