When signing artifacts with GPG, Maven apps usually rely on the Maven GPG Plugin and thus store secrets in Maven settings.xml.
These secrets should be handled by the Jenkins Config File Provider Plugin.
Key configuration parameters that should be handled by the Config File Provider Plugin:
- gpg.keyname: The "name" of the key to sign with. Passed to gpg as --local-user.
- gpg.passphrase: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration.
- gpg.passphraseServerId: Server id to lookup the passphrase under Maven settings.
- gpg.useagent: Server id to lookup the passphrase under Maven settings.
- gpg.publicKeyring: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory.
- gpg.secretKeyring: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory.
gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore.
- gpg.defaultKeyring: Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
- gpg.homedir: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg.
Maybe we should also consider http://kohsuke.org/pgp-maven-plugin but I'm not sure that this plugin is widely adopted and actively maintained.
- ~/.gnupg This is the default home directory which is used if neither the environment variable GNUPGHOME nor the option --homedir is given.
- ~/.gnupg/pubring.gpg : The public keyring.
- ~/.gnupg/secring.gpg: The private keyring (used by GnuPG versions before 2.1. It is not used by GnuPG 2.1 and later).
- ~/.gnupg/trustdb.gpg The trust database. There is no need to backup this file; it is better to backup the ownertrust values (see option --export-ownertrust).