Howdy, if you can use your GPG CLI with your HSM, this could or should be possible, as maven-gpg-plugin really just invokes the CLI (the gpg executable).
HTH T On Wed, Feb 15, 2023 at 12:50 PM Railean, Alexander < alexander.rail...@siemens.com> wrote: > Hi everyone, > > > > I am looking for a way to use maven-gpg-plugin in conjunction with a > Hardware Security Module (HSM) for the process of publishing digitally > signed artifacts on Maven Central. > > > > After reading the documentation I am under the impression that the plugin > assumes that it has the signing key and the passphrase – but in my use case > I rely on an external device to securely store the key, and the key itself > cannot get out of the device, by design. > > > > After I sign the jar using utilities provided by the HSM, is there a way > to tell maven-gpg-plugin to use existing signature of the jar and upload it > to the server? (instead of trying to produce its own) > > > > Alternatively, maybe you can recommend another approach that I can take? > > > > Alex >