[
https://issues.apache.org/jira/browse/PHOENIX-7446?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17893753#comment-17893753
]
Istvan Toth commented on PHOENIX-7446:
--------------------------------------
MGPG-106 is interesting.
AFAIU, since pinentry does not work anymore, we somehow need to keep the
signing key available on the host system.
Since I see no passphrase referred in MGPG-106 , I assume that it requires
having the unencrypted public key on the filesystem (i.e. docker image)
While certainly simpler, I think that current solution of pre-unlocking the key
with the keyagent on the host (either via a long TTL or the preset program) is
more secure than potentially leaving an unencrypted private key around either
on the local system, or in a docker image.
> Document GPG passphrase handling in release process
> ---------------------------------------------------
>
> Key: PHOENIX-7446
> URL: https://issues.apache.org/jira/browse/PHOENIX-7446
> Project: Phoenix
> Issue Type: Task
> Reporter: Istvan Toth
> Priority: Major
>
> It seems like the maven GPG plugin is no longer able to ask for a passphrase,
> and it has also been disabled for the tar.gz signing in the release script.
> It seems like we need to somehow preset the passphrase before running the
> release script.
> It seems that this requires either modifying the gpg-agent cache times so
> that it's longer than the release process, or using the gpg-preset-passphrase
> tool.
> Figure this out and document on the release page on the website and/or the
> release script README.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
