New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
invoke GPG unattended with passphrase #2279
invoke GPG unattended with passphrase #2279
Conversation
By the way, the builds are failing but I don't think this PR has anything to do with it. Travis job #2454.1 is failing with errors like this:
which appears to be a TLS issue, and based on your recent commit history it looks like you're aware of it. See also this and this. Travis job #2454.2 is failing on the same dependency a few different times:
but I just deleted my ~/.m2/repository/rome and ran the same test by hand to prove to myself lein would retrieve the missing jar. |
Go ahead and ignore Travis; it has been failing for no reason. However, I think I fixed the problem with the test suite on master, and if you rebase off the latest it should help. I hope to take a look at the rest of the PR in the next couple days. |
As long as the documentation is clear that putting the GPG passphrase in the environment is meant only for unattended deploys, I don't see a problem with this in principle. However, @hypirion has spent more time working on stdin issues, so his input would be more useful on specific implementation details. |
Ok I'll wait for further feedback. |
note - when I test this locally the signature generation is working as expected, but then I'm getting errors during the attempt to send signed artifacts into clojars (no checksum provided?). I didn't touch any checksum logic and actually I don't even see where it's done. Is that happening inside aether?
(edit) Furthermore, the error occurs only with release versions, whereas with snapshots the unsigned pom, jar, and maven-metadata.xml are uploaded with md5 and sha1 checksums as usual. @cemerick, any hints where to look? |
Further note - deploying signed artifacts seems broken on the master branch too. I retried the same signed deploy as above using a fresh checkout on commit
I backed up to commit I'm going to stop testing because this "unattended signatures" feature seems to work (for me) but I'd feel much better about my testing if the deploys fully worked. |
Tracking the signature checksum problem separately at #2303; thanks for pointing that out. |
a5b4987
to
9010b65
Compare
Thanks for resolving #2303. Because of that, my local testing is now successful. I rebased and squashed the commits to clean up the git history. During the rebase I had to manually merge with #2293 because @glts changed some of the same code, but I left it in a way that should preserve his work as well as mine. I also added documentation per your earlier request. If you and @hypirion (and @glts) are satisfied, then I think this is ready to merge? |
Well. I'm finding Travis and CircleCI default to relatively old distributions of Ubuntu with either gpg 1.4 or gpg 2.0, and this implementation uses the --pinentry-mode option introduced in gpg 2.1. So things are fine on my laptop, not so much in CI. I'm going to have to do a little more to support those older gpg versions (or at least detect them and fail gracefully). |
With those latest commits the code now detects which version of gpg is available and provides the right gpg signing arguments in each case. |
Hey... so now that 2.8.x is released what are your thoughts about this PR? |
Sorry for the delay on this. If we can't get any other input on this I'll go ahead and bring it in so we can at least get more people using it. Thanks! |
Cool. I just helped a little with unattended deploys in the Travis CI configs for cider-nrepl and orchard. I don’t know if @bbatsov plans to gpg sign the release jars, but if he does then this is timely. |
This broke deploys in 2.8.2, so I had to revert it.
|
The purpose of this pull request is to ask if the approach will be accepted before I finish up the integration and testing.
The concept is to offer "gpg --passphrase-fd 0" as an alternate way to supply a passphrase, for example to perform unattended jar signing in TravisCI or similar.
So the key changes were to add some syntax for specifying the passphrase in the project.clj via an environment variable (which can be encrypted in a way that won't be revealed in Travis CI). And then some enhancement to the way gpg is launched to supply that passphrase on stdin. A few unit tests were added too.
If folks are okay with this approach I will probably close the pull request and keep working to complete the implementation, and then reopen a new pull request with the complete change when I think it's closer to done.
thanks