Allow GPG signing to be skipped in development

[sbesson]

jzarr/pom.xml

Lines 246 to 262 in d4f85aa

	<plugin>
	<groupId>org.apache.maven.plugins</groupId>
	<artifactId>maven-gpg-plugin</artifactId>
	<version>1.6</version>
	<executions>
	<execution>
	<id>sign-artifacts</id>
	<phase>verify</phase>
	<goals>
	<goal>sign</goal>
	</goals>
	<configuration>
	<keyname>9F88D86AD9A0D91E</keyname>
	</configuration>
	</execution>
	</executions>
	</plugin>

was introduced as part of 00180d1 as a prerequisite to the deployment to OSS Sonatype - see https://central.sonatype.org/publish/requirements/#sign-files-with-gpgpgp.

While this works very elegantly in the context of artifact publication via GitHub Actions, this breaks local developer workflow while running mvn install. Supporting both workflows might require defining a profile to allow the artifact signing to be triggered conditionally.

[joshmoore]

In the way of info, 9F88D86AD9A0D91E from https://github.com/zarr-developers/jzarr/blob/main/pom.xml#L258C34-L258C50 is a dedicated GPG key:

pub   rsa2048 2023-05-19 [SC]
      E8CF B87E 58C0 2B91 1AB5  37BC 9F88 D86A D9A0 D91E
uid           [ultimate] Zarr Developers (Automated GitHub Signing) <zarrdevelopers@gmail.com>
sub   rsa2048 2023-05-19 [E]

that's been registered with GitHub and Maven Central.

[jburel]

Running mvn install -Dgpg.skip should do the trick and does not require refactoring