Deploy Signed Artifacts

Without this plugin you deploy your project like this:

mvn deploy

If you have configured this plugin according to the instructions in the usage page, nothing changes for interactive sessions:

mvn deploy

And the gpg-agent will prompt you for passphrase.

General remark regarding environment variables: Examples below are NOT instructions how to invoke Maven, as if you'd follow these examples literally, it would defy the goal of not leaking cleartext passphrases, as these would end up in terminal history! You should set these environment variables on your own discretion in some secure manner.

If you use "batch" build (or build is invoked by Maven Release Plugin), then gpg-agent will be unable to ask interactively for password. In such cases you want to "prime" the agent with passwords first. See usage page for details how to "prime" gpg-agent.

In "agent-less" (CI like usage) mode one can supply passphrase via environment variable only.

MAVEN_GPG_PASSPHRASE=thephrase mvn --batch-mode deploy

Sign using BC Signer

By default the plugin uses the "gpg" Signer (that relies on GnuPG tool installed on host OS). The "bc" Signer on the other hand implements signing in pure Java using Bouncy Castle libraries.

The "bc" signer, unlike "gpg", does not and cannot make use of ~/.gnupg directory in user home, and have to have configured both, the key used to sign and the passphrase (if key is passphrase protected). The key is expected to be in TSK format (see "Transferable Secret Keys" format).

mvn deploy -Dgpg.signer=bc -Dgpg.keyFilePath=path/to/key

In interactive sessions, similarly as with "gpg" Signer, gpg-agent will be used to ask for password. In batch sessions, you can use environment variables to achieve similar thing:

MAVEN_GPG_PASSPHRASE=thephrase mvn deploy -Dgpg.signer=bc -Dgpg.keyFilePath=path/to/key

Ultimately, you can place both, they key and passphrase into environment variables:

MAVEN_GPG_KEY=thekeymaterial MAVEN_GPG_PASSPHRASE=thephrase mvn deploy -Dgpg.signer=bc

Install/Deploy without configuring the plugin in the POM

Currently this is not easily accomplished. gpg signs the artifacts attached to the build at the point that gpg runs. However, we want to "inject" the gpg into the phases. What MIGHT work is:

mvn verify gpg:sign install:install deploy:deploy

However, if there are other plugins configured for phases after the verify phase, they will not be run.