gistfile1.txt

pkill gpg-agent
rm -f dummy.{txt,txt.asc}
echo "This is a dummy file" > dummy.txt
rm -rf .gnupg && mkdir -p .gnupg && chmod 700 .gnupg

gpg -a --export > .gnupg/pubring.gpg
gpg -a --export-secret-keys > .gnupg/secring.gpg

chmod 600 .gnupg/*.gpg
pkill gpg-agent

gpg --use-agent \
    --local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 \
    --armor --detach-sign \
    --no-default-keyring \
    --secret-keyring .gnupg/secring.gpg \
    --keyring .gnupg/pubring.gpg \
    --output dummy.txt.asc \
    dummy.txt
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search failed: Invalid packet
gpg: skipped "4BD5F787F27F97744BC09E019C1CA69653E98E56": Invalid packet
gpg: signing failed: Invalid packet

gpg --use-agent \
    --homedir .gnupg \
    --local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 \
    --armor --detach-sign \
    --no-default-keyring \
    --secret-keyring .gnupg/secring.gpg \
    --keyring .gnupg/pubring.gpg \
    --output dummy.txt.asc \
    dummy.txt
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/Users/cmoullia/.jenkins/workspace/.gnupg/secring.gpg' to gpg-agent
gpg: [don't know]: invalid packet (ctb=2d)
gpg: read_block: read error: Invalid packet
gpg: import from '/Users/cmoullia/.jenkins/workspace/.gnupg/secring.gpg' failed: Invalid keyring
gpg: [don't know]: invalid packet (ctb=2d)
gpg: keydb_search failed: Invalid packet
gpg: skipped "4BD5F787F27F97744BC09E019C1CA69653E98E56": Invalid packet
gpg: signing failed: Invalid packet

Why mvn gpg:sign tries to fetch the secring.gpg file from the WORKSPACE/JOB_NAME/.gnugpg folder while in fact I defined it under WORKSPACE/.gnugpg ?

[INFO] [DEBUG]   (f) ascDirectory = /Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/spring-boot-bom/target/gpg
[INFO] [DEBUG]   (f) defaultKeyring = false
[INFO] [DEBUG]   (f) interactive = true
[INFO] [DEBUG]   (f) keyname = 4BD5F787F27F97744BC09E019C1CA69653E98E56
[INFO] [DEBUG]   (f) passphrase = ****
[INFO] [DEBUG]   (f) passphraseServerId = gpg.passphrase
[INFO] [DEBUG]   (f) project = MavenProject: dev.snowdrop:snowdrop-dependencies:2.3.6.Alpha5 @ /Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/spring-boot-bom/target/effective-pom/snowdrop-dependencies.xml
[INFO] [DEBUG]   (f) publicKeyring = /Users/cmoullia/.jenkins/workspace/.gnupg/pubring.gpg
[INFO] [DEBUG]   (f) secretKeyring = /Users/cmoullia/.jenkins/workspace/.gnupg/secring.gpg
[INFO] [DEBUG]   (f) settings = org.apache.maven.execution.SettingsAdapter@350ec690
[INFO] [DEBUG]   (f) skip = false
[INFO] [DEBUG]   (f) useAgent = true
[INFO] [DEBUG] -- end configuration --
[INFO] [DEBUG] Generating signature for /Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/spring-boot-bom/target/snowdrop-dependencies-2.3.6.Alpha5.pom
[INFO] gpg: starting migration from earlier GnuPG versions
[INFO] gpg: porting secret keys from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' to gpg-agent
[INFO] gpg: [don't know]: invalid packet (ctb=00)
[INFO] gpg: read_block: read error: Invalid packet
[INFO] gpg: import from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' failed: Invalid keyring
[INFO] gpg: skipped "4BD5F787F27F97744BC09E019C1CA69653E98E56": No secret key

I understand the problem now (at least on macos ;-) )

Test case 1: Same scenario as what mvn gpg:sign does on jenkins**

If we dont pass the passphrase, then the command is executed, gpg-agent is launched but when secret keys are imported, that will fail as no user passphrase prompt has been asked. So we got ctb=00

gpg --use-agent --homedir 50_ReleaseBOMUpstream/.gnupg --local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 --armor --detach-sign --no-default-keyring --secret-keyring 50_ReleaseBOMUpstream/.gnupg/secring.gpg --keyring 50_ReleaseBOMUpstream/.gnupg/pubring.gpg --output dummy.txt.asc dummy.txt
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' to gpg-agent
gpg: [don't know]: invalid packet (ctb=00)
gpg: read_block: read error: Invalid packet
gpg: import from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' failed: Invalid keyring
gpg: skipped "4BD5F787F27F97744BC09E019C1CA69653E98E56": No secret key
gpg: signing failed: No secret key

Test case 2: Same but without homeDir

If now, I remove the --homedir 50_ReleaseBOMUpstream/.gnupg, then process will work as passhrase will be prompted by the gpg-agent as it uses my home gnugpg folder. Why: IDK but that will work using this command :-)

gpg --use-agent  --local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 --armor --detach-sign --no-default-keyring --secret-keyring 50_ReleaseBOMUpstream/.gnupg/secring.gpg --keyring 50_ReleaseBOMUpstream/.gnupg/pubring.gpg --output dummy.txt.asc dummy.txt
File 'dummy.txt.asc' exists. Overwrite? (y/N) y

Test case 3. Same as Test 2 but we echo password

We could think that passing the password will help but ....

 echo "xxxxxxxx" | gpg --batch --passphrase-fd 0 --homedir 50_ReleaseBOMUpstream/.gnupg --local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 --armor --detach-sign --no-default-keyring --secret-keyring 50_ReleaseBOMUpstream/.gnupg/secring.gpg --keyring 50_ReleaseBOMUpstream/.gnupg/pubring.gpg --output dummy.txt.asc dummy.txt
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' to gpg-agent
gpg: [don't know]: invalid packet (ctb=00)
gpg: read_block: read error: Invalid packet
gpg: import from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' failed: Invalid keyring
gpg: skipped "4BD5F787F27F97744BC09E019C1CA69653E98E56": No secret key
gpg: signing failed: No secret key