Suppressing GPG signing for Maven-based continuous integration builds (Travis CI)

java gnupg maven travis-ci continuous-integration

Disable GPG signing by adding the following line to your .travis.yml file:

install: mvn install -DskipTests -Dgpg.skip

Example: https://github.com/stefanbirkner/system-rules/blob/master/.travis.yml


You need to create a profile & make sure you run that only when you do the release build.

Remove the current plugin, and add it in a profile like this:

<profiles>
    <profile>
        <id>release-sign-artifacts</id>
        <activation>
            <property>
                <name>performRelease</name>
                <value>true</value>
            </property>
        </activation>
        <build>
            <plugins>
                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-gpg-plugin</artifactId>
                    <version>1.4</version>
                    <executions>
                        <execution>
                            <id>sign-artifacts</id>
                            <phase>verify</phase>
                            <goals>
                                <goal>sign</goal>
                            </goals>
                        </execution>
                    </executions>
                </plugin>
            </plugins>
        </build>
    </profile>
</profiles>

And then when you actually need to do a release, add the property to your mvn command:

mvn -DperformRelease=true ...

I found a slightly simpler way to do it with the profile as described above. Instead of using a new property value, you can use the gpg.passphrase property which will need to be provided anyway when doing signing. The modified property section is as follows:

<activation>
    <property>
        <name>gpg.passphrase</name>
    </property>
</activation>

Notice, that no value is required since you want this profile to activate if any value is set for that property.

The corresponding command line then looks like this:

mvn <command> -Dgpg.passphrase=myverysupersecretpassphrase

You can test this out by running it the following two ways:

mvn install

No signed artifacts get generated, and:

mvn install -Dgpg.passphrase=myverysupersecretpassphrase

Signed artifacts get created.

To do the actual signed release of the artifacts do the following:

mvn release:perform -Darguments=-Dgpg.passphrase=myverysupersecretpassphrase

The indirection is needed for the release action because it doesn't propagate the command line arguments directly to the spawned process (see http://maven.apache.org/plugins/maven-gpg-plugin/usage.html).

Related

Elasticsearch how to use multi_match with wildcard
How to add header data in XMLHttpRequest when using formdata?
Chart.js multiTooltip labels
How to process SQS queue with lambda function (not via scheduled events)?
Get character position in alphabet
How do I pretty-print existing JSON data with Java? [closed]
What is the difference between XAMPP or WAMP Server & IIS?
Sort a List of Object in VB.NET
Print raw HTTP request in Flask or WSGI
Any way to stop a block literal in swift
How to conditionally add or not onClick on a div in react?
Rails 5.2.0 with Ruby 2.5.1 console - `warning:` `already` initialized constant FileUtils::VERSION