This plugin comes with several different implementations of how you specify the secret key

Load from key file

keyfile:path/to/key.asc

Specify a key by pointing to a file that contains it. This file normally starts with -----BEGIN PGP PRIVATE KEY BLOCK-----, and can be created by commands like gpg --export-secret-keys KEYID.

Such a file can be either checked into the source tree (it is useless without the pass-phrase, so doing so by itself doesn't entirely compromise the security), or can be placed in a removable device, and so on.

Load from key ring

Keyring is a file that can contain multiple keys.

keyring:keyring=path/to/keyring
keyring:id=KEYID
keyring:keyring=path/to/keyring&id=KEYID

The keyring parameter specifies the key ring file. If it is not given, it defaults to ~/.gnupg/secring.gpg, which is where GPG stores your secret keys.

The id parameter specifies the key ID, which is an 8-digit hexadecimal string that identifies the key among other keys in your keyring. You can also specify the e-mail address or the full name associated with the key to select the key. If this parameter is omitted, it defaults to the first key in the keyring.

Implementing your own key loader

Aside from the above built-in implementations, you can implement a custom key loader as a Plexus component, then specify it as a dependency into the plugin declaration of POM. Refer to the source code of this plugin to see what base class you extend from, and how to mark your class as a component.