Signing Plugin should use gpg-agent (or at least provide a convenient way to enter the passphrase)

I am not very keen on the idea storing my passphrase in a gradle.properties file in clear text. The Signing plugin should at least provide a convenient way to enter the passphrase or, even better, make use of a running gpg-agent instance.

I am surprised that this feature request hasn’t popped up already. At least my searches found none.

Did you see the example for using the Java console for reading the password?

http://www.gradle.org/docs/current/userguide/signing_plugin.html#N15692

This could definitely be improved. Would you be interested in contributing such an improvement?

Yep, that’s what I’m using atm. I see that the signing plugin uses bouncycastle for signing. That may explains why where is no GnuPG agent support (yet). I sure would contribute if I find the time to hack something together that’s good enough. Thanks for your answer.

Another use case (where i am kind of stuck now) is that I do use gpg-agent because my gpg key is stored in a simcard. So when i invoke gpg it uses the card to perform the signing tasks and no passwords are required. This does not work with gradle since it always requires a password to be provided and if i do so it will not work since I don’t have a password…

In my searches for gradle plugins providing support for signing using the “new” publish mechanism, I stumbled upon what may be a workaround: https://github.com/elehack/gradle-plugins/tree/master/gradle-util/src/main/groovy/net/elehack/gradle/util

In there is code showing how you can shell out to ‘gpg’ to perform the signature re-using the mechanics inside the normal signature plugin.

1 Like