Niels Bertram created MGPG-99:
---------------------------------
Summary: Passcode byte array provided to gpg executable on stdin
is not terminated
Key: MGPG-99
URL: https://issues.apache.org/jira/browse/MGPG-99
Project: Maven GPG Plugin
Issue Type: Bug
Affects Versions: 3.1.0
Reporter: Niels Bertram
Attachments: image-2023-08-15-10-40-10-637.png
We ran into a strange issue using the maven-gpg-plugin with gnu gpg 2.3.7.
The 2.x versions of gpg prefer to take the passcode for the signing key via
stdin and the maven-gpg-plugin does setup the signing process accordingly with
the `--passphrase-fd 0`
[argument|https://github.com/apache/maven-gpg-plugin/blob/master/src/main/java/org/apache/maven/plugins/gpg/GpgSigner.java#L102]
provided to the command process.
On [Line
106|https://github.com/apache/maven-gpg-plugin/blob/master/src/main/java/org/apache/maven/plugins/gpg/GpgSigner.java#L106]
the passcode is written to as bytes to the input stream that is then provided
in [Line
173|https://github.com/apache/maven-gpg-plugin/blob/master/src/main/java/org/apache/maven/plugins/gpg/GpgSigner.java#L173]
to the gpg process.
Unfortunately it appears that gpg requires a `CR` or `LF` to recognise that the
passcode is provided as arg 0 on stdin. In our case it does not and the process
fails with following error: `gpg: signing failed: No pinentry` .
The use of the loopback pinentry device is properly configured by the plugin
but the hint for us was that the gpg executable did not know there was any
input on stdin.
After some experimentation, we found that appending a `CR` character to the
passcode will trigger the stdin to provide the passcode to the program.
This "fix" looks like this in the `settings.xml` file.
!image-2023-08-15-10-40-10-637.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
