Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

literal:secretkey #2

Open
leonardofl opened this issue Apr 25, 2018 · 1 comment · May be fixed by #3
Open

literal:secretkey #2

leonardofl opened this issue Apr 25, 2018 · 1 comment · May be fixed by #3

Comments

@leonardofl
Copy link

@leonardofl leonardofl commented Apr 25, 2018

Hello,

I'm trying to load the secret key into PGP_SECRETKEY in the follow way:

export PGP_SECRETKEY=`cat secretkey.asc`

But I'm getting the following error at mvn install:

[ERROR] Failed to execute goal org.kohsuke:pgp-maven-plugin:1.1:sign (default) on project fatiador: Invalid secret key scheme '-----BEGIN PGP PRIVATE KEY BLOCK-----
[ERROR] Version'. If this is your custom scheme, perhaps you forgot to specify it in <dependency> to this plugin?: java.util.NoSuchElementException
[ERROR]       role: org.kohsuke.maven.pgp.SecretKeyLoader
[ERROR]   roleHint: -----BEGIN PGP PRIVATE KEY BLOCK-----

I have tried also to add a "literal:" in the beginning of my secret key. What resulted:

[ERROR] Failed to execute goal org.kohsuke:pgp-maven-plugin:1.1:sign (default) on project fatiador: Invalid secret key scheme 'literal'. If this is your custom scheme, perhaps you forgot to specify it in <dependency> to this plugin?: java.util.NoSuchElementException
[ERROR]       role: org.kohsuke.maven.pgp.SecretKeyLoader
[ERROR]   roleHint: literal

My private key structure:

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1

...
B8hLNsLWwcxxxxxxxxxxxxxxxxxxxxxxeJR64Bhrz
...
-----END PGP PRIVATE KEY BLOCK-----

Digging here in the code, it looks like it is not possible to load the secret key as a literal. Is it right?

I'm trying to setup a Gitlab CI pipeline to deploy to the maven repository with JAR signatures. And I don't think committing the secret key (even it has a password) is a good practice.

Is there any recommendation?

Tks!!!

@schnatterer
Copy link

@schnatterer schnatterer commented Apr 5, 2020

Maybe I'm two years late, but anyways, here's my workaround:

Store the private key in an env var and write it to a temp file.
The env var can be defined in your CI server.
Use base64 to avoid escaping hell.

TMP_KEY="$(mktemp)"
echo "${PK_BASE64}" | base64 -d > "${TMP_KEY}"
export PGP_SECRETKEY="keyfile:${TMP_KEY}"

I successfully implemented this using travisCI.

@watermelonjam watermelonjam linked a pull request Sep 19, 2020 that will close this issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants