This plugin comes with several different implementations of how you specify the pass-phrase
This lets you specify the passphrase inline directly. This is insecure, but if your private key is sufficiently protected, one might justifiably do this.
If you store the pass-phrase in a text file, you can do the following to have this plugin read that file. With proper file access permission, this is a reasonable secure approach, and you won't leak the passphrase into build log files.
If you are running Maven interactively, specify the following to retrieve the passphrase from GPG agent. Refer to gpg-agent man page for how to run the GPG agent.
The GPG agent support is platform dependent. If this didn't work for your platform, please file a ticket.
Aside from the above built-in implementations, you can implement a custom loader as a Plexus component, then specify it as a dependency into the plugin declaration of POM. Refer to the source code of this plugin to see what base class you extend from, and how to mark your class as a component.