How to select the GnuPG key that the maven-gpg-plugin uses to sign artifacts?

前端 未结 1 1799
礼貌的吻别
礼貌的吻别 2021-01-12 16:15

I am using the maven-gpg-plugin to sign the maven artifacts. This works fine, but I have several keys in my GnuPG keyring and want to use a different one than the one GnuPG

1条回答
  •  清酒与你
    2021-01-12 16:57

    How does GPG select the "default" key if there are several ones?

    GnuPG by default chooses the first key in the secret keyring, if not defined otherwise (for example, using the default-key option). From man gpg:

    --default-key name
    
        Use name as the default key to sign with. If this option is not used,
        the default key is the first key found in the secret keyring. Note 
        that -u or --local-user overrides this option. 
    

    Is there a possibility to specify the key to be used in the maven-gpg-plugin configuration? It seems that "keyname" doesn't work (I assume it selects the keyring, but not a specific key).

    If you do not want to have GnuPG decide automatically which key to use, [keyname] selects to key to be used. I expect this is passed as the local-key option, so it should support short and long key IDs, fingerprints and user IDs. The GnuPG manual contains a list of ways to specify keys.

    Most manuals describing how to specify keys here use the short key ID, which I strongly recommend not to do so because of collision attacks, and using the whole fingerprint instead.

    There are further options to change the selection of keys. Refer to the Maven GnuPG plugin manual for more details on the individual options:

    • Selecting a dedicated keyring using secretKeyring
    • Selecting a dedicated GnuPG home directory using homedir
    • Passing the local-user option to GnuPG using gpgArguments

    0 讨论(0)
提交回复
热议问题