Hi everyone,
I am looking for a way to use maven-gpg-plugin in conjunction with a Hardware Security Module (HSM) for the process of publishing digitally signed artifacts on Maven Central. After reading the documentation I am under the impression that the plugin assumes that it has the signing key and the passphrase - but in my use case I rely on an external device to securely store the key, and the key itself cannot get out of the device, by design. After I sign the jar using utilities provided by the HSM, is there a way to tell maven-gpg-plugin to use existing signature of the jar and upload it to the server? (instead of trying to produce its own) Alternatively, maybe you can recommend another approach that I can take? Alex
smime.p7s
Description: S/MIME cryptographic signature