From 56fcded1d52bcc20e8624dd98414078b1d66ae68 Mon Sep 17 00:00:00 2001
From: Tamas Cservenak <tamas@cservenak.net>
Date: Thu, 30 May 2024 13:54:42 +0200
Subject: [PATCH] Add more info about signing (as part of release).

---
 RELEASE.md | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/RELEASE.md b/RELEASE.md
index d42736d6..110b1414 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -2,7 +2,16 @@
 
 ## Maven
 
-It should be the "usual" Maven release:
+Note: Build uses latest `maven-gpg-plugin` and is getting rid "old bad practices" of storing sensitive information in
+any Maven configuration file. Hence, on Workstations, users are recommended to have GPG Agent set up and running,
+as plugin will make use of it to get the sensitive information. On unattended releases, the use of
+BouncyCastle signer is recommended, and use environment variables `MAVEN_GPG_KEY` and `MAVEN_GPG_PASSPHRASE` 
+to pass over the key material and the passphrase to `maven-gpg-plugin`.
+See [maven-gpg-plugin site](https://maven.apache.org/plugins/maven-gpg-plugin/usage.html) for more information.
+
+### Release steps
+
+The "usual" Maven release:
 * `mvn release:prepare`
 * `mvn release:perform`
 * project uses https://oss.sonatype.org/ to stage (manual step: close and release staging repository)