diff --git a/sigstore-maven-plugin/README.md b/sigstore-maven-plugin/README.md
index 61b23308..0ac05cd6 100644
--- a/sigstore-maven-plugin/README.md
+++ b/sigstore-maven-plugin/README.md
@@ -47,8 +47,8 @@ See [GitHub documentation](https://docs.github.com/en/actions/deployment/securit
Notes:
-
-- `.md5`/`.sha1`: to avoid unneeded checksum files for `.sigstore.java` files, use Maven 3.9.2 minimum or create `.mvn/maven.config` file containing `-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.java`
+- GPG: Maven Central publication rules require GPG signing. To avoid GPG signing of `.sigstore.json` signature files, use version 3.2.5 or higher of [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/).
+- `.md5`/`.sha1`: to avoid unneeded checksum files for `.sigstore.java` files, use Maven 3.9.2 or higher, or create `.mvn/maven.config` file containing `-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.java`
Known limitations:
diff --git a/sigstore-maven-plugin/build.gradle.kts b/sigstore-maven-plugin/build.gradle.kts
index 18be217d..9f6d5628 100644
--- a/sigstore-maven-plugin/build.gradle.kts
+++ b/sigstore-maven-plugin/build.gradle.kts
@@ -16,7 +16,7 @@ dependencies {
implementation(project(":sigstore-java"))
implementation("org.bouncycastle:bcutil-jdk18on:1.78.1")
- implementation("org.apache.maven.plugins:maven-gpg-plugin:3.2.4")
+ implementation("org.apache.maven.plugins:maven-gpg-plugin:3.2.5")
testImplementation("org.apache.maven.shared:maven-verifier:1.8.0")
diff --git a/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java b/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java
index 9daf6a8a..5d57794a 100644
--- a/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java
+++ b/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java
@@ -40,22 +40,13 @@ public class SigstoreSignAttachedMojo extends AbstractMojo {
private static final String BUNDLE_EXTENSION = ".sigstore.json";
- // TODO: this can potentially be derived from mvn-gpg-plugin:FilesCollector.java,
- // but that requires a change in that plugin before it makes sense here.
- private static final String DEFAULT_EXCLUDES[] =
- new String[] {
- "**/*.md5", "**/*.sha1", "**/*.sha256", "**/*.sha512", "**/*.asc", "**/*.sigstore.json"
- };
-
/** Skip doing the sigstore signing. */
@Parameter(property = "sigstore.skip", defaultValue = "false")
private boolean skip;
/**
* A list of files to exclude from being signed. Can contain Ant-style wildcards and double
- * wildcards. The default excludes are
- * **/*.md5 **/*.sha1 **/*.sha256 **/*.sha512 **/*.asc **/*.sigstore.json
- * .
+ * wildcards. The defaults are defined in DEFAULT_EXCLUDES in {@link FilesCollector}.
*/
@Parameter private String[] excludes;
@@ -81,8 +72,7 @@ public void execute() throws MojoExecutionException, MojoFailureException {
// Collect files to sign
// ----------------------------------------------------------------------------
- FilesCollector collector =
- new FilesCollector(project, (excludes == null) ? DEFAULT_EXCLUDES : excludes, getLog());
+ FilesCollector collector = new FilesCollector(project, excludes, getLog());
List items = collector.collect();
// ----------------------------------------------------------------------------