From 0db9d1eaeee554e4d34f3325521265812f2b603b Mon Sep 17 00:00:00 2001
From: DemchaAV <demchaav@gmail.com>
Date: Sun, 31 May 2026 17:33:02 +0100
Subject: [PATCH] build(release): add GPG signing plugin to release profile
 (D2)

Wires up Track D2 from the readiness taskboard - the second step of the Maven Central pipeline. Maven Central rejects unsigned uploads; this PR adds maven-gpg-plugin 3.2.7 to the existing release profile so the main / sources / javadoc / pom artefacts get signed during the verify phase.

Off by default: new <gpg.skip>true</gpg.skip> property keeps local mvn -P release package runs working without a configured GPG key. The publish workflow (Track D4) flips it explicitly with -Dgpg.skip=false once MAVEN_GPG_PRIVATE_KEY and MAVEN_GPG_PASSPHRASE secrets are wired.

gpgArguments declares --pinentry-mode loopback so non-interactive CI runs accept the passphrase from env / system property without needing a TTY for gpg-agent.

Verification:

  mvnw -P release -DskipTests verify -pl . (default skip=true) -> BUILD SUCCESS, sign step silently skipped

  mvnw -P release -Dgpg.skip=false -DskipTests verify -pl . -> BUILD FAILURE with gpg exit code 2 (expected - no key configured locally; proves plugin would attempt signing)

Pipeline state after this PR: artefacts (D1) + signing (D2) ready; central-publishing (D3) and workflow (D4) pending. Maintainer GPG key generation and GitHub secret wiring is the human prerequisite before D4's workflow will actually publish anything.
---
 CHANGELOG.md | 12 ++++++++++++
 pom.xml      | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 71adc4fd..be294a19 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,18 @@ JitPack continue to resolve through the existing coordinates.
   `./mvnw -DskipTests -P japicmp verify -pl .`; HTML/MD/XML reports
   land in `target/japicmp/`. JitPack repository is scoped to the
   `japicmp` profile, so downstream consumers do not inherit it.
+- **GPG signing in the `release` profile** (Track D2). Adds
+  `maven-gpg-plugin` 3.2.7 to the existing `release` profile, binding
+  to the `verify` phase to sign main / sources / javadoc / pom
+  artefacts — Maven Central rejects unsigned uploads. **Off by
+  default**: a new property `<gpg.skip>true</gpg.skip>` keeps local
+  `mvn -P release package` runs working without a configured GPG key.
+  The publish workflow (Track D4) flips it explicitly with
+  `-Dgpg.skip=false` once the `MAVEN_GPG_PRIVATE_KEY` and
+  `MAVEN_GPG_PASSPHRASE` secrets are wired. `gpgArguments` declares
+  `--pinentry-mode loopback` so non-interactive CI runs accept the
+  passphrase from `-Dgpg.passphrase` / `MAVEN_GPG_PASSPHRASE` without
+  needing a TTY for `gpg-agent`.
 - **`release` Maven profile with sources + javadoc jars** (Track D1).
   Activated with `-P release`, attaches `*-sources.jar` and
   `*-javadoc.jar` to the `package` phase via the standard
diff --git a/pom.xml b/pom.xml
index 3bb82c36..3a2da5b2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -67,6 +67,7 @@
         <!-- Build plugins -->
         <maven.compiler.plugin.version>3.15.0</maven.compiler.plugin.version>
         <maven.enforcer.plugin.version>3.5.0</maven.enforcer.plugin.version>
+        <maven.gpg.plugin.version>3.2.7</maven.gpg.plugin.version>
         <maven.javadoc.plugin.version>3.12.0</maven.javadoc.plugin.version>
         <maven.source.plugin.version>3.3.1</maven.source.plugin.version>
         <maven.surefire.plugin.version>3.5.5</maven.surefire.plugin.version>
@@ -78,6 +79,14 @@
         <!-- Binary compatibility baseline (japicmp profile) -->
         <japicmp.version>0.23.1</japicmp.version>
         <japicmp.baseline>v1.6.5</japicmp.baseline>
+
+        <!--
+            GPG signing — opted in via -Dgpg.skip=false (the publish
+            workflow does this on tag pushes). Default true so a
+            maintainer running `mvn -P release package` locally does
+            not need a configured GPG key.
+        -->
+        <gpg.skip>true</gpg.skip>
     </properties>
 
     <dependencyManagement>
@@ -508,6 +517,44 @@
                             </execution>
                         </executions>
                     </plugin>
+                    <!--
+                        GPG signing of the four published artefacts
+                        (main jar + sources + javadoc + pom). Maven
+                        Central rejects unsigned uploads.
+
+                        Local default: `<gpg.skip>true</gpg.skip>` (set
+                        in <properties>) so `mvn -P release package`
+                        works without a configured GPG key. The publish
+                        workflow (Track D4) flips it with
+                        -Dgpg.skip=false.
+
+                        The `gpgArguments` pinentry-mode=loopback is
+                        required for non-interactive runs (CI), where
+                        the passphrase arrives via
+                        MAVEN_GPG_PASSPHRASE / -Dgpg.passphrase and
+                        there is no TTY for gpg-agent to prompt on.
+                    -->
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-gpg-plugin</artifactId>
+                        <version>${maven.gpg.plugin.version}</version>
+                        <executions>
+                            <execution>
+                                <id>sign-artifacts</id>
+                                <phase>verify</phase>
+                                <goals>
+                                    <goal>sign</goal>
+                                </goals>
+                                <configuration>
+                                    <skip>${gpg.skip}</skip>
+                                    <gpgArguments>
+                                        <arg>--pinentry-mode</arg>
+                                        <arg>loopback</arg>
+                                    </gpgArguments>
+                                </configuration>
+                            </execution>
+                        </executions>
+                    </plugin>
                 </plugins>
             </build>
         </profile>