-
New Feature
-
Resolution: Unresolved
-
Minor
-
None
When signing artifacts with GPG, Maven apps usually rely on the Maven GPG Plugin and thus store secrets in Maven settings.xml.
These secrets should be handled by the Jenkins Config File Provider Plugin.
Key configuration parameters that should be handled by the Config File Provider Plugin:
http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html
- gpg.keyname: The "name" of the key to sign with. Passed to gpg as --local-user.
- gpg.passphrase: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration.
- gpg.passphraseServerId: Server id to lookup the passphrase under Maven settings.
- gpg.useagent: Server id to lookup the passphrase under Maven settings.
- gpg.homedir
- gpg.publicKeyring: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory.
- gpg.secretKeyring: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory.
gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore. - gpg.defaultKeyring: Whether to add the default keyrings from gpg's home directory to the list of used keyrings.
- gpg.homedir: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg.
Maybe we should also consider http://kohsuke.org/pgp-maven-plugin but I'm not sure that this plugin is widely adopted and actively maintained.
References:
- https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration.html
- ~/.gnupg This is the default home directory which is used if neither the environment variable GNUPGHOME nor the option --homedir is given.
- ~/.gnupg/pubring.gpg : The public keyring.
- ~/.gnupg/secring.gpg: The private keyring (used by GnuPG versions before 2.1. It is not used by GnuPG 2.1 and later).
- ~/.gnupg/trustdb.gpg The trust database. There is no need to backup this file; it is better to backup the ownertrust values (see option --export-ownertrust).
[JENKINS-40703] Support injection of maven-gpg-plugin:sign config params in Maven Settings files
| Issue Type | Original: Improvement [ 4 ] | New: New Feature [ 2 ] |
| Description |
Original:
When signing artifacts with GPG, Maven apps usually rely on the [Maven GPG Plugin|http://maven.apache.org/plugins/maven-gpg-plugin] and thus store secrets in MAven settings.xml. These secrets should be handled by the Jenkins Config File Provider Plugin. Key configuration parameters that should be handled by the Config File Provider Plugin: http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html * *gpg.keyname*: The "name" of the key to sign with. Passed to gpg as --local-user. * *gpg.passphrase*: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration. * *gpg.passphraseServerId*: Server id to lookup the passphrase under Maven settings. * *gpg.useagent*: Server id to lookup the passphrase under Maven settings. * *gpg.homedir* * *gpg.publicKeyring*: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. * *gpg.secretKeyring*: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore. * *gpg.defaultKeyring*: Whether to add the default keyrings from gpg's home directory to the list of used keyrings. * *gpg.homedir*: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg. |
New:
When signing artifacts with GPG, Maven apps usually rely on the [Maven GPG Plugin|http://maven.apache.org/plugins/maven-gpg-plugin] and thus store secrets in Maven settings.xml. These secrets should be handled by the Jenkins Config File Provider Plugin. Key configuration parameters that should be handled by the Config File Provider Plugin: http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html * *gpg.keyname*: The "name" of the key to sign with. Passed to gpg as --local-user. * *gpg.passphrase*: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration. * *gpg.passphraseServerId*: Server id to lookup the passphrase under Maven settings. * *gpg.useagent*: Server id to lookup the passphrase under Maven settings. * *gpg.homedir* * *gpg.publicKeyring*: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. * *gpg.secretKeyring*: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore. * *gpg.defaultKeyring*: Whether to add the default keyrings from gpg's home directory to the list of used keyrings. * *gpg.homedir*: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg. |
| Description |
Original:
When signing artifacts with GPG, Maven apps usually rely on the [Maven GPG Plugin|http://maven.apache.org/plugins/maven-gpg-plugin] and thus store secrets in Maven settings.xml. These secrets should be handled by the Jenkins Config File Provider Plugin. Key configuration parameters that should be handled by the Config File Provider Plugin: http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html * *gpg.keyname*: The "name" of the key to sign with. Passed to gpg as --local-user. * *gpg.passphrase*: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration. * *gpg.passphraseServerId*: Server id to lookup the passphrase under Maven settings. * *gpg.useagent*: Server id to lookup the passphrase under Maven settings. * *gpg.homedir* * *gpg.publicKeyring*: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. * *gpg.secretKeyring*: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore. * *gpg.defaultKeyring*: Whether to add the default keyrings from gpg's home directory to the list of used keyrings. * *gpg.homedir*: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg. |
New:
When signing artifacts with GPG, Maven apps usually rely on the [Maven GPG Plugin|http://maven.apache.org/plugins/maven-gpg-plugin] and thus store secrets in Maven settings.xml. These secrets should be handled by the Jenkins Config File Provider Plugin. Key configuration parameters that should be handled by the Config File Provider Plugin: http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html * *gpg.keyname*: The "name" of the key to sign with. Passed to gpg as --local-user. * *gpg.passphrase*: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration. * *gpg.passphraseServerId*: Server id to lookup the passphrase under Maven settings. * *gpg.useagent*: Server id to lookup the passphrase under Maven settings. * *gpg.homedir* * *gpg.publicKeyring*: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. * *gpg.secretKeyring*: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore. * *gpg.defaultKeyring*: Whether to add the default keyrings from gpg's home directory to the list of used keyrings. * *gpg.homedir*: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg. See also http://kohsuke.org/pgp-maven-plugin/usage.html |
| Remote Link | New: This issue links to "Apache Maven GPG Plugin > Plugin Documentation (Web Link)" [ 15166 ] |
| Remote Link | New: This issue links to "kohsuke.org PGP Maven plugin (Web Link)" [ 15167 ] |
| Description |
Original:
When signing artifacts with GPG, Maven apps usually rely on the [Maven GPG Plugin|http://maven.apache.org/plugins/maven-gpg-plugin] and thus store secrets in Maven settings.xml. These secrets should be handled by the Jenkins Config File Provider Plugin. Key configuration parameters that should be handled by the Config File Provider Plugin: http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html * *gpg.keyname*: The "name" of the key to sign with. Passed to gpg as --local-user. * *gpg.passphrase*: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration. * *gpg.passphraseServerId*: Server id to lookup the passphrase under Maven settings. * *gpg.useagent*: Server id to lookup the passphrase under Maven settings. * *gpg.homedir* * *gpg.publicKeyring*: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. * *gpg.secretKeyring*: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore. * *gpg.defaultKeyring*: Whether to add the default keyrings from gpg's home directory to the list of used keyrings. * *gpg.homedir*: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg. See also http://kohsuke.org/pgp-maven-plugin/usage.html |
New:
When signing artifacts with GPG, Maven apps usually rely on the [Maven GPG Plugin|http://maven.apache.org/plugins/maven-gpg-plugin] and thus store secrets in Maven settings.xml. These secrets should be handled by the Jenkins Config File Provider Plugin. Key configuration parameters that should be handled by the Config File Provider Plugin: http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html * *gpg.keyname*: The "name" of the key to sign with. Passed to gpg as --local-user. * *gpg.passphrase*: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration. * *gpg.passphraseServerId*: Server id to lookup the passphrase under Maven settings. * *gpg.useagent*: Server id to lookup the passphrase under Maven settings. * *gpg.homedir* * *gpg.publicKeyring*: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. * *gpg.secretKeyring*: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore. * *gpg.defaultKeyring*: Whether to add the default keyrings from gpg's home directory to the list of used keyrings. * *gpg.homedir*: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg. Maybe we should also consider http://kohsuke.org/pgp-maven-plugin but I'm not sure that this plugin is widely adopted and actively maintained. |
| Description |
Original:
When signing artifacts with GPG, Maven apps usually rely on the [Maven GPG Plugin|http://maven.apache.org/plugins/maven-gpg-plugin] and thus store secrets in Maven settings.xml. These secrets should be handled by the Jenkins Config File Provider Plugin. Key configuration parameters that should be handled by the Config File Provider Plugin: http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html * *gpg.keyname*: The "name" of the key to sign with. Passed to gpg as --local-user. * *gpg.passphrase*: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration. * *gpg.passphraseServerId*: Server id to lookup the passphrase under Maven settings. * *gpg.useagent*: Server id to lookup the passphrase under Maven settings. * *gpg.homedir* * *gpg.publicKeyring*: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. * *gpg.secretKeyring*: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore. * *gpg.defaultKeyring*: Whether to add the default keyrings from gpg's home directory to the list of used keyrings. * *gpg.homedir*: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg. Maybe we should also consider http://kohsuke.org/pgp-maven-plugin but I'm not sure that this plugin is widely adopted and actively maintained. |
New:
When signing artifacts with GPG, Maven apps usually rely on the [Maven GPG Plugin|http://maven.apache.org/plugins/maven-gpg-plugin] and thus store secrets in Maven settings.xml. These secrets should be handled by the Jenkins Config File Provider Plugin. Key configuration parameters that should be handled by the Config File Provider Plugin: http://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html * *gpg.keyname*: The "name" of the key to sign with. Passed to gpg as --local-user. * *gpg.passphrase*: The passphrase to use when signing. If not given, look up the value under Maven settings using server id at 'passphraseServerKey' configuration. * *gpg.passphraseServerId*: Server id to lookup the passphrase under Maven settings. * *gpg.useagent*: Server id to lookup the passphrase under Maven settings. * *gpg.homedir* * *gpg.publicKeyring*: The path to a public keyring to add to the list of keyrings. By default, only the pubring.gpg from gpg's home directory is considered. Use this option (and defaultKeyring if required) to use a different public key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. * *gpg.secretKeyring*: The path to a secret keyring to add to the list of keyrings. By default, only the secring.gpg from gpg's home directory is considered. Use this option (in combination with publicKeyring and defaultKeyring if required) to use a different secret key. Note: Relative paths are resolved against gpg's home directory, not the project base directory. gpg.useagent: Passes --use-agent or --no-use-agent to gpg. If using an agent, the passphrase is optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore. * *gpg.defaultKeyring*: Whether to add the default keyrings from gpg's home directory to the list of used keyrings. * *gpg.homedir*: The directory from which gpg will load keyrings. If not specified, gpg will use the value configured for its installation, e.g. ~/.gnupg or %APPDATA%/gnupg. Maybe we should also consider http://kohsuke.org/pgp-maven-plugin but I'm not sure that this plugin is widely adopted and actively maintained. References: * https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration.html ** {{~/.gnupg}} This is the default home directory which is used if neither the environment variable GNUPGHOME nor the option --homedir is given. ** {{~/.gnupg/pubring.gpg}} : The public keyring. ** {{~/.gnupg/pubring.gpg}}: The public keyring. ** {{~/.gnupg/trustdb.gpg}} The trust database. There is no need to backup this file; it is better to backup the ownertrust values (see option --export-ownertrust). |
would you expect the config-file-provider plugin to inject these settings as properties into the settings.xml?
Maybe it makes more sense to offer this feature through the credentials binding plugin.