Signing Plugin should use gpg-agent (or at least provide a convenient way to enter the passphrase)

I am not very keen on the idea storing my passphrase in a file in clear text. The Signing plugin should at least provide a convenient way to enter the passphrase or, even better, make use of a running gpg-agent instance.

I am surprised that this feature request hasn’t popped up already. At least my searches found none.

Did you see the example for using the Java console for reading the password?

This could definitely be improved. Would you be interested in contributing such an improvement?

Yep, that’s what I’m using atm. I see that the signing plugin uses bouncycastle for signing. That may explains why where is no GnuPG agent support (yet). I sure would contribute if I find the time to hack something together that’s good enough. Thanks for your answer.

Another use case (where i am kind of stuck now) is that I do use gpg-agent because my gpg key is stored in a simcard. So when i invoke gpg it uses the card to perform the signing tasks and no passwords are required. This does not work with gradle since it always requires a password to be provided and if i do so it will not work since I don’t have a password…

In my searches for gradle plugins providing support for signing using the “new” publish mechanism, I stumbled upon what may be a workaround:

In there is code showing how you can shell out to ‘gpg’ to perform the signature re-using the mechanics inside the normal signature plugin.

1 Like