Usage

Sign artifacts with GnuPG

Signs all of a project's attached artifacts with GnuPG.

You need to have previously configured the default key.

gpg also needs to be on the search path.

First you add the plugin to your pom.xml like this:

<project>
  ...
  <build>
    <plugins>
      <plugin>
        <groupId>org.apache.maven.plugins</groupId>
        <artifactId>maven-gpg-plugin</artifactId>
        <version>1.2</version>
        <executions>
          <execution>
            <id>sign-artifacts</id>
            <phase>verify</phase>
            <goals>
              <goal>sign</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
    </plugins>
  </build>
  ...
</project>

Then you specify the passphrase on the command line. Like this:

mvn verify -Dgpg.passphrase=thephrase

If you don't specify a passphrase, it will prompt for one.

Note: When using the GPG Plugin in combination with the Maven Release Plugin, you might need to specify the passphrase like this:

mvn release:perform -Darguments=-Dgpg.passphrase=thephrase

This accounts for the fact, that the Release Plugin forks Maven and system properties of the current Maven session are unfortunately not automatically propagated to the forked Maven session (see also MGPG-9).