diff --git a/.github/workflows/createereleasenodeploy.yml b/.github/workflows/createereleasenodeploy.yml
index d2de7945..c78a9e8f 100644
--- a/.github/workflows/createereleasenodeploy.yml
+++ b/.github/workflows/createereleasenodeploy.yml
@@ -15,7 +15,7 @@ jobs:
 
     env:
       SUBDIR: ${{ github.event.inputs.subdir }}
-      MVNCMD: mvn -B -ntp
+      MVNCMD: mvn -B -ntp -P release
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       GITHUB_ACTOR: ${{ github.actor }}
 
@@ -35,6 +35,8 @@ jobs:
           java-version: '11'
           distribution: 'temurin'
           cache: maven
+          # gpg-private-key: ${{ secrets.GPG_SECRET_KEYS }}
+          gpg-passphrase: GPG_PASSPHRASE
 
       - name: Dump settings
         run: cat $HOME/.m2/settings.xml
@@ -52,12 +54,22 @@ jobs:
         run: |
           echo '${{ toJSON(github) }}'
 
+      - name: Try to set a master password
+        run: |
+          MASTERPWD=$(openssl rand -base64 25)
+          echo "<settingsSecurity> <master>$(mvn --encrypt-master-password "$MASTERPWD")</master></settingsSecurity>" > $HOME/.m2/settings-security.xml
+          # echo "MASTERPWD=\"$MASTERPWD\"" >> $GITHUB_ENV
+          # The master password isn't actually used, but the maven-gpg-plugin complains otherwise.
+
       - name: Git & Maven Status
         run: |
           $MVNCMD -version
           git remote -v
           git status --untracked-files --ignored
           git log -3 --no-color --decorate
+          $MVNCMD -version
+          find . -name 'settings*xml'
+          find /home/runner/work/ -name 'settings*xml'
 
       - name: Mvn Effective POM
         run: $MVNCMD -N help:effective-pom
@@ -65,6 +77,16 @@ jobs:
       - name: Mvn Effective Settings
         run: $MVNCMD -N help:effective-settings
 
+      - name: Import GPG key
+        env:
+          GPG_SECRET_KEYS: ${{ secrets.GPG_SECRET_KEYS }}
+          GPG_OWNERTRUST: ${{ secrets.GPG_OWNERTRUST }}
+        run: |
+          echo $GPG_SECRET_KEYS | base64 --decode | gpg --import --no-tty --batch --yes
+          echo $GPG_OWNERTRUST | base64 --decode | gpg --import-ownertrust --no-tty --batch --yes
+          gpg -v --refresh-keys
+          gpg --list-secret-keys --keyid-format LONG
+
       - name: Configure git user for release commits
         # specific to repository - we don't want that to be the same thing in a fork.
         env:
@@ -114,6 +136,8 @@ jobs:
 
       # create a release without deploying it since we still have trouble with maven central
       - name: Perform release
+        env:
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
         run: |
           $MVNCMD -X release:perform -DlocalCheckout=true -DdeployAtEnd=true "-Darguments=-DdeployAtEnd=true" "-Dgoals=clean install"