I am trying to use Gradle's signing plugin with "in memory" keys[1], but am having difficulty understanding which values to use where. I have the following:
$ gpg --list-keys --keyid-format=long
...
----------------------------------
pub <PUB>
uid ...
sub <SUB>
$ export GPG_KEY=$(gpg --armor --export <PUB>)
along with this build fragment
signing {
sign publishing.publications.publishedArtifacts
def signingKeyId = findProperty('signingKeyId')
def signingKey = findProperty('signingKey')
def signingPassword = findProperty('signingPassword')
useInMemoryPgpKeys(signingKeyId, signingKey, signingPassword)
}
I'm sure much of this is my limited knowledge of GPG and PGP, but as I understand it, when the plugin doc talks about "signingKey", that is my $GPG_KEY variable.
I am a bit unclear about what the doc calls "signingKeyId" - whether that is <PUB> or <SUB>. I've tried both and get the same error either way.
$ gradlew sign -PsigningKeyId=<PUB> -PsigningKey="$GPG_KEY" -PsigningPassword=...
> Error while evaluating property 'signatory' of task ':hibernate-core:signPublishedArtifactsPublication'
> Could not read PGP secret key
I've also tried the form without passing a key-id - still same result. So I am clearly not understanding something here.
$ gradlew --version
------------------------------------------------------------
Gradle 7.3.3
------------------------------------------------------------
Build time: 2021-12-22 12:37:54 UTC
Revision: 6f556c80f945dc54b50e0be633da6c62dbe8dc71
Kotlin: 1.5.31
Groovy: 3.0.9
Ant: Apache Ant(TM) version 1.10.11 compiled on July 10 2021
JVM: 11.0.6 (AdoptOpenJDK 11.0.6 10)
OS: Linux 5.15.12-100.fc34.x86_64 amd64
[1] either https://docs.gradle.org/current/userguide/signing_plugin.html#sec:in-memory-keys or https://docs.gradle.org/current/userguide/signing_plugin.html#using_in_memory_ascii_armored_openpgp_subkeys
CodePudding user response:
If you do gpg --armor --export there are two signs that show you, that you are using the wrong command.
- you are not asked for a passphrase, so it would be shocking if you could access the secret key
- if you look at the output, you see that the ASCII armor says
PGP PUBLIC KEY BLOCK
The docs you linked to say, you need to provide the secret key, which of course makes sense, as you want to sign something with your secret key, not encrypt it for a specific recipient for which you would need that persons public key. If you specify the id of the parent key it should use the parent key if you leave out the key id it also uses the parent key.
If you replace --export by --export-secret-key (yes, this option is not shown in the --help output), then you get the secret key exported instead after being asked for your passphrase, which is what you need for signing.
The key id you only need if you want to sign with the subkey. As a parent key can have multiple subkeys you have to tell which subkey to use and thus have to give the id of the subkey, not the id of the parent key. iirc it should also just be the part after the slash, before the slash is just the algorithm.