-
-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix gpg signing during sonatype publishing to work with gpg versions: 2.1+ #753
Conversation
… 2.1+ Sets flag '--pinentry-mode' to 'loopback', to prevent gpg from interactively asking for the gpg passphrase. See: https://www.gnupg.org/%28de%29/documentation/manuals/gpgme/Pinentry-Mode.html
We shouldn't hard code that at all. It could be a parameter to a sign command. I also think, that it should be possible to leave some defaults in a gnupg config file. Actually, I use the interactive default, when publishing non-automatically. |
So this is why I haven't managed to get non-interactive gpg signing to work. Looking forward to getting this merged |
@lefou As an immediate fix, I think it makes sense to hardcode this new parameter. It accomplishes the same purpose as the other pre-existing hardcoded parameter (i.e. If that's not an option, I can close this PR and work on another PR to make the |
I absolutely agree with @lefou here: gpg's config should only be handled by gpg, and never by the build tool. See this discussion in an issue in sbt-gpg. The gist of it is that key material may be provided in many different ways and that assuming the existence of a passphrase is already too restrictive (I'm using a yubikey for example). As noted in the discussion, in case non-interactive signing is required (for example in CI), the recommended approach is to store the keychain itself in an encrypted format and remove the password from the GPG private key. See this section of sbt-gpg's readme on how this can be done. |
We are basically not able to publish to sonatype from CI. I'm actually wondering how people have been doing so far. |
That hasn't been my experience. The way to do it is to not set a passphrase on the gpg key[1]. Then the pinentry flag is not even required. [1] the reasons for not assuming passphrases are detailed in the discussion above and int linked sbt-gpg project. It essentially boils down to supporting to passphrase protection being a too strong assumption and not something that should be handled by mill |
Look at this how-to from sbt-gpg, it applies to mill as well. Here's an example ci build as well. |
Ok I just saw the recommendation to remove the password from the key. What makes |
Hmm, didn't know there was this argument actually. Let me see |
Any more opinions on this? |
The gpgPassphrase options seem to predate much of the discussion. I would actually suggest to remove them entirely.
It's a matter of assumptions and generalization. Who is to say that the key is a file protected with a passphrase in the first place? It could very well be in an HSM or obtained through some other mechanism. The important thing to note is that we are using gpg to sign artifacts with a key. The passphrase is just an implementation detail about which mill should not concern itself. That is up to gpg. |
Wrt to removing the gpgPassphrase options, I actually think it would make sense to generalize them. Instead of having a "passphrase" option, why not create a parameter "gpg options" which gets passed verbatim to gpg? That should allow enough flexibility to accommodate all use cases. |
Here is the implementation: #851 |
Fixed by #851 |
yay!
…On Wed, 6 May 2020 at 4:21 PM, Tobias Roeser ***@***.***> wrote:
Closed #753 <#753>.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#753 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AE5HBDAGC4KUXTGFCH7Z2ELRQEMX7ANCNFSM4KB2SGXA>
.
|
…#2782) A few years ago how to handle `gpg`'s changing requirements were extensively discussed here, and very reasonably resolved. See #753 Nevertheless, having just upgraded from a very ancient `gpg`, I hit this issue and it took a small storm of googling to figure it out. Maybe it's worth adding a note to the documentation? Pull request: #2782
Sets flag
--pinentry-mode
toloopback
, to preventgpg
from interactively asking forthe gpg passphrase. This flag is necessary for newer versions of
gpg
.The flag has been available in
gpg
since version1.4.0
, so this patch should be compatible withgpg
versions1.4.0
and up.See: https://www.gnupg.org/%28de%29/documentation/manuals/gpgme/Pinentry-Mode.html