Suppressing GPG signing for Maven-based continuous integration builds (Travis CI)

I'm using Travis-CI to provide continuous integration builds for a few Java open source projects I'm working on.

Normally this works smoothly, but I have a problem when the POM specifies GPG signing, e.g.

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-gpg-plugin</artifactId>
  <version>1.4</version>
  <executions>
    <execution>
      <id>sign-artifacts</id>
      <phase>verify</phase>
      <goals>
        <goal>sign</goal>
      </goals>
    </execution>
  </executions>
</plugin>

This causes the Travis build to fail - apparently because it does not have a passphrase available while running mvn install. See this build for an example.

What is the best way to configure Maven and/or Travis to skip GPG signing for CI test builds, but still perform GPG signing when I do a proper release build?

Disable GPG signing by adding the following line to your .travis.yml file:

install: mvn install -DskipTests -Dgpg.skip

Example: https://github.com/stefanbirkner/system-rules/blob/master/.travis.yml

You need to create a profile & make sure you run that only when you do the release build.

Remove the current plugin, and add it in a profile like this:

<profiles>
	<profile>
		<id>release-sign-artifacts</id>
		<activation>
			<property>
				<name>performRelease</name>
				<value>true</value>
			</property>
		</activation>
		<build>
			<plugins>
				<plugin>
					<groupId>org.apache.maven.plugins</groupId>
					<artifactId>maven-gpg-plugin</artifactId>
					<version>1.4</version>
					<executions>
						<execution>
							<id>sign-artifacts</id>
							<phase>verify</phase>
							<goals>
								<goal>sign</goal>
							</goals>
						</execution>
					</executions>
				</plugin>
			</plugins>
		</build>
	</profile>
</profiles>

And then when you actually need to do a release, add the property to your mvn command:

mvn -DperformRelease=true ...

I found a slightly simpler way to do it with the profile as described above. Instead of using a new property value, you can use the gpg.passphrase property which will need to be provided anyway when doing signing. The modified property section is as follows:

<activation>
    <property>
        <name>gpg.passphrase</name>
    </property>
</activation>

Notice, that no value is required since you want this profile to activate if any value is set for that property.

The corresponding command line then looks like this:

mvn <command> -Dgpg.passphrase=myverysupersecretpassphrase

You can test this out by running it the following two ways:

mvn install

No signed artifacts get generated, and:

mvn install -Dgpg.passphrase=myverysupersecretpassphrase

Signed artifacts get created.

To do the actual signed release of the artifacts do the following:

mvn release:perform -Darguments=-Dgpg.passphrase=myverysupersecretpassphrase

The indirection is needed for the release action because it doesn't propagate the command line arguments directly to the spawned process (see http://maven.apache.org/plugins/maven-gpg-plugin/usage.html).