Howdy, The Apache Maven team is pleased to announce the release of the Apache Maven GPG Plugin, version 3.2.0
This plugin signs all of the project's attached artifacts with GnuPG or BC. https://maven.apache.org/plugins/maven-gpg-plugin/ You should specify the version in your project's plugin configuration: <plugin> <groupId>org.apache.maven.plugins</groupId> <artifactId>maven-gpg-plugin</artifactId> <version>3.2.0</version> </plugin> You can download the appropriate sources etc. from the download page: https://maven.apache.org/plugins/maven-gpg-plugin/download.cgi Release Notes - Maven GPG Plugin - Version 3.2.0 ** Bug * [MGPG-85] - Regression in maven-metadata for SNAPSHOTs between 1.6 and 3.0.1 * [MGPG-98] - non-reproducible pom.xml * [MGPG-99] - Passcode byte array provided to gpg executable on stdin is not terminated * [MGPG-100] - Fix Temporary File Information Disclosure Vulnerability ** New Feature * [MGPG-106] - Introduce second signer implementation based on Bouncy Castle ** Improvement * [MGPG-101] - Switch to Junit5 * [MGPG-102] - Drop maven-artifact-transfer used by sign-and-deploy-file * [MGPG-105] - Stop propagating bad practices; but allow for "compat mode" * [MGPG-110] - The sign-and-deploy-file mojo POM validation is off ** Task * [MGPG-103] - Fix Windows CI * [MGPG-107] - Settle on JUnit 5 assertions * [MGPG-108] - Update plugin site doco ** Dependency upgrade * [MGPG-104] - Update to 3.9.6, drop the cruft, minimum baseline remains 3.2.5 Have fun, -The Apache Maven team