Yeah, I'm not sure how maven is calling gpg, but I get that too. The end result, btw, is that this is from reworking the maven deploy instructions. In the old method, two things would happen:
a) you'd build
b) then run mvn deploy w/your gpg passphrase on the command line
So there was a possibility that the tar jars and the deployed jars might be different, depending upon how the docs were generated.
Now create-release just primes a gpg-agent to store the passphrase so that you only need to type it once and it doesn't appear on the command line. We sign the jars as we build so that when mvn deploy is run post-create-release, it just uploads since the jars are already signed.
One thing I haven't tried is passing --quiet through to maven to see if gpg is silent. Given that we've built a dependency upon gpg-agent (honestly: who wants to type their gpg password a few dozen times?!?), there's really not much of a reason for gpg to put anything to the screen.
But yeah, I agree. For now, let's get this checked in and we can deal with the extra gpg messages later if it really becomes a problem.
Thanks for the review!