This plugin comes with several different implementations of how you specify the pass-phrase

Specify the passphrase as a literal

literal:PASSPHRASE

This lets you specify the passphrase inline directly. This is insecure, but if your private key is sufficiently protected, one might justifiably do this.

Store passphrase in a file

If you store the pass-phrase in a text file, you can do the following to have this plugin read that file. With proper file access permission, this is a reasonable secure approach, and you won't leak the passphrase into build log files.

file:path/to/textfile

Obtain passphrase from GPG Agent

If you are running Maven interactively, specify the following to retrieve the passphrase from GPG agent. Refer to gpg-agent man page for how to run the GPG agent.

gpg-agent:

The GPG agent support is platform dependent. If this didn't work for your platform, please file a ticket.

Implementing your own passphrase loader

Aside from the above built-in implementations, you can implement a custom loader as a Plexus component, then specify it as a dependency into the plugin declaration of POM. Refer to the source code of this plugin to see what base class you extend from, and how to mark your class as a component.