Trying to encrypt gpg password in settings.xml

Question

I have a maven build that is trying to make use of maven-gpg-plugin. If I have a plaintext password in settings.xml, things work. If I paste the encrypted password, I get "bad password" error. Details of my steps are below, but any ideas of what I'm doing wrong? Also, as a side question, I'm surprised that multiple runs of "mvn -ep " give different results. I would have thought to be able to decrypt, the same result should be returned. I'd be curious for an explanation for this.

First, I generated and distributed my key pair, following these instructions from sonotype. Next, I updated my ~/.m2/settings.xml file with the my password, as explained by apache. Finally, I built. It works great. Time to encrypt.

Following the encryption advice from apacheI created a (maven) master password, put it into settings-security.xml, encrypted the gpg password, and put that into settings.xml. (I've tried this in various ways, including using the same password at every stage.) Now when I try to build I get the errors:

gpg: no default secret key: Bad passphrase
gpg: signing failed: Bad passphrase

If I change the password back to plaintext in settings.xml, things work again. If I add "-X" to my maven build, I see that it is finding settings-security.xml. (Actually, I can only see when it doesn't find it, if I remove the file.)

gpg --gen-key
<choose defaults of RSA/RSA, 2048, and no expiration.  Enter in values for name and email.>
gpg --keyserver hkp://pool.sks-keyservers.net --send-keys <key>
mvn clean gpg:sign
mvn -emp <password>
<put encrypted password into ~/.m2/settings-security.xml>
mvn -ep <password>
<put encrypted password into ~/.m2/settings.xml>
mvn clean gpg:sign

pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>

<groupId>example</groupId>
<artifactId>example.test</artifactId>
<version>develop-SNAPSHOT</version>
<packaging>pom</packaging>

<build>
    <plugins>
        <plugin>
            <groupId>org.apache.maven.plugins</groupId>
            <artifactId>maven-gpg-plugin</artifactId>
            <version>1.6</version>
            <executions>
                <execution>
                    <goals>
                       <goal>sign</goal>
                    </goals>
                </execution>
            </executions>
        </plugin>
    </plugins>
</build>

</project>

settings.xml:

<?xml version="1.0" encoding="UTF-8" ?>
<settings>
<profiles>
    <profile>
        <id>ossrh</id>
        <activation>
            <activeByDefault>true</activeByDefault>
        </activation>
        <properties>
            <gpg.executable>gpg</gpg.executable>
            <gpg.passphrase>{pQ...lV}</gpg.passphrase>
        </properties>
    </profile>
</profiles>
</settings>

settings-security.xml:

<settingsSecurity>
<master>{KC...jm}</master>
</settingsSecurity>

Answer 1

From closer reading, it appears that only the "servers" section in settings.xml can have encrypted passwords. However, using information from yet another apache webpage, I was able to get my above usecase to work. Most of what I did was correct, and I just had to make the following modifications.

1) I changed my pom.xml executions section to now read:

    <executions>
      <execution>
        <goals>
          <goal>sign</goal>
        </goals>
        <configuration>
          <keyname>${gpg.keyname}</keyname>
          <passphraseServerId>${gpg.keyname}</passphraseServerId>
        </configuration>
      </execution>
    </executions>

2) I got my public gpg key ("gpg --list-key | grep ^pub", the 8 HEX digit value). I'll list this as A1234567 in the next step.

3) I updated settings.xml as follows:

<?xml version="1.0" encoding="UTF-8" ?>
<settings>
  <profiles>
    <profile>
      <id>ossrh</id>
      <activation>
        <activeByDefault>true</activeByDefault>
      </activation>
      <properties>
        <gpg.executable>gpg</gpg.executable>
        <gpg.keyname>A1234567</gpg.keyname>
      </properties>
    </profile>
  </profiles>
  <servers>
    <server>
      <id>A1234567</id>
      <passphrase>{pQ...lV}</passphrase>
    </server>
  </servers>
</settings>

4) "mvn clean gpg:sign" doesn't work, but "mvn clean install" does. My real use-case is to get "mvn clean install" to work, so I didn't bother figuring this out. (I'd bet it has something to do with lifecycle phases.)

Answer 2

I'm surprised that multiple runs of mvn -ep give different results. I would have thought to be able to decrypt, the same result should be returned. I'd be curious for an explanation for this.

A random initialization vector and padding are added by the encryption scheme, resulting in non-deterministic cryptotexts. decryption(encryption(plain text)) is deterministic again, as padding and initialization vector are omitted.

The IV and padding prevent several chosen and known plain text attacks.