[BEAM-6726] explicitly specify signing key #8026
Conversation
|
R: @aaltay |
| @@ -98,7 +105,8 @@ if [[ $confirmation = "y" ]]; then | |||
| echo "2. new rc tag has created in github." | |||
|
|
|||
| echo "-------------Staging Java Artifacts into Maven---------------" | |||
| ./gradlew publish -PisRelease --no-daemon | |||
| gpg --local-user ${SIGNING_KEY} --output /dev/null --sign ~/.bashrc | |||
There was a problem hiding this comment.
Is this for testing that the key is working?
Would not it break if ~/.bashrc does not exist?
There was a problem hiding this comment.
No. It is to ensure the key is unlocked so gpg-agent will just provide access to the key without requesting for user input within gradle call. As gradle is configured to shell out to gpg cli, streams get broken and no input is possible.
And yes, this will break, if .bashrc does not exist. But the same pattern was used before [1], so I just reused that.
Of course, we might reconsider that.
[1] https://github.com/apache/beam/blob/master/release/src/main/scripts/verify_release_build.sh#L140
| gpg --list-keys --keyid-format LONG --fingerprint --fingerprint | ||
| echo "Please copy the public key which is associated with your Apache account:" | ||
|
|
||
| read SIGNING_KEY |
There was a problem hiding this comment.
Should we check that this is matching: user.signingkey (from: https://github.com/apache/beam/blob/master/release/src/main/scripts/preparation_before_release.sh#L48) or usage from other scripts?
There was a problem hiding this comment.
Probably yes.
But we did not check before [1], so I did not bother to implement this. As it probably would require to keep some state across scripts. Currently this is left to manual release verification.
As I tend to assume that these script need some rework anyway, I restricted the scope of this PR to a minimal viable solution to get release enabled on gradle5.
[1] There is no check on signing key set in git config against key put into KEYS file nor against default key used for signing artefacts.
There was a problem hiding this comment.
Sounds good. Do you mind add a JIRA todo comment here to clean this up in all scripts?
|
Run Java PreCommit |
|
Run Python PreCommit |
|
Nice. Thx for merging. |
This PR changes the release script to not rely on gpg default key, but forces the release manager to explicitly specify the signgin key which then is used for signing tasks.
Thank you for your contribution! Follow this checklist to help us incorporate your contribution quickly and easily:
R: @username).[BEAM-XXX] Fixes bug in ApproximateQuantiles, where you replaceBEAM-XXXwith the appropriate JIRA issue, if applicable. This will automatically link the pull request to the issue.Post-Commit Tests Status (on master branch)
See .test-infra/jenkins/README for trigger phrase, status and link of all Jenkins jobs.