Add more info about signing (as part of release).

eclipse-sisu · May 30, 2024 · 56fcded · 56fcded
1 parent acaf7be
commit 56fcded
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/RELEASE.md b/RELEASE.md
@@ -2,7 +2,16 @@
 
 ## Maven
 
-It should be the "usual" Maven release:
+Note: Build uses latest `maven-gpg-plugin` and is getting rid "old bad practices" of storing sensitive information in
+any Maven configuration file. Hence, on Workstations, users are recommended to have GPG Agent set up and running,
+as plugin will make use of it to get the sensitive information. On unattended releases, the use of
+BouncyCastle signer is recommended, and use environment variables `MAVEN_GPG_KEY` and `MAVEN_GPG_PASSPHRASE` 
+to pass over the key material and the passphrase to `maven-gpg-plugin`.
+See [maven-gpg-plugin site](https://maven.apache.org/plugins/maven-gpg-plugin/usage.html) for more information.
+
+### Release steps
+
+The "usual" Maven release:
 * `mvn release:prepare`
 * `mvn release:perform`
 * project uses https://oss.sonatype.org/ to stage (manual step: close and release staging repository)