Created
February 11, 2021 13:09
-
-
Save cmoulliard/e5c56d34f690b719c66e95ec79a676ef to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pkill gpg-agent | |
rm -f dummy.{txt,txt.asc} | |
echo "This is a dummy file" > dummy.txt | |
rm -rf .gnupg && mkdir -p .gnupg && chmod 700 .gnupg | |
gpg -a --export > .gnupg/pubring.gpg | |
gpg -a --export-secret-keys > .gnupg/secring.gpg | |
chmod 600 .gnupg/*.gpg | |
pkill gpg-agent | |
gpg --use-agent \ | |
--local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 \ | |
--armor --detach-sign \ | |
--no-default-keyring \ | |
--secret-keyring .gnupg/secring.gpg \ | |
--keyring .gnupg/pubring.gpg \ | |
--output dummy.txt.asc \ | |
dummy.txt | |
gpg: [don't know]: invalid packet (ctb=2d) | |
gpg: keydb_search failed: Invalid packet | |
gpg: skipped "4BD5F787F27F97744BC09E019C1CA69653E98E56": Invalid packet | |
gpg: signing failed: Invalid packet | |
gpg --use-agent \ | |
--homedir .gnupg \ | |
--local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 \ | |
--armor --detach-sign \ | |
--no-default-keyring \ | |
--secret-keyring .gnupg/secring.gpg \ | |
--keyring .gnupg/pubring.gpg \ | |
--output dummy.txt.asc \ | |
dummy.txt | |
gpg: starting migration from earlier GnuPG versions | |
gpg: porting secret keys from '/Users/cmoullia/.jenkins/workspace/.gnupg/secring.gpg' to gpg-agent | |
gpg: [don't know]: invalid packet (ctb=2d) | |
gpg: read_block: read error: Invalid packet | |
gpg: import from '/Users/cmoullia/.jenkins/workspace/.gnupg/secring.gpg' failed: Invalid keyring | |
gpg: [don't know]: invalid packet (ctb=2d) | |
gpg: keydb_search failed: Invalid packet | |
gpg: skipped "4BD5F787F27F97744BC09E019C1CA69653E98E56": Invalid packet | |
gpg: signing failed: Invalid packet |
I understand the problem now (at least on macos ;-) )
Test case 1: Same scenario as what mvn gpg:sign does on jenkins**
If we dont pass the passphrase
, then the command is executed, gpg-agent is launched but when secret keys are imported, that will fail as no user passphrase prompt
has been asked. So we got ctb=00
gpg --use-agent --homedir 50_ReleaseBOMUpstream/.gnupg --local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 --armor --detach-sign --no-default-keyring --secret-keyring 50_ReleaseBOMUpstream/.gnupg/secring.gpg --keyring 50_ReleaseBOMUpstream/.gnupg/pubring.gpg --output dummy.txt.asc dummy.txt
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' to gpg-agent
gpg: [don't know]: invalid packet (ctb=00)
gpg: read_block: read error: Invalid packet
gpg: import from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' failed: Invalid keyring
gpg: skipped "4BD5F787F27F97744BC09E019C1CA69653E98E56": No secret key
gpg: signing failed: No secret key
Test case 2: Same but without homeDir
If now, I remove the --homedir 50_ReleaseBOMUpstream/.gnupg
, then process will work as passhrase
will be prompted by the gpg-agent as it uses my home gnugpg folder. Why: IDK but that will work using this command :-)
gpg --use-agent --local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 --armor --detach-sign --no-default-keyring --secret-keyring 50_ReleaseBOMUpstream/.gnupg/secring.gpg --keyring 50_ReleaseBOMUpstream/.gnupg/pubring.gpg --output dummy.txt.asc dummy.txt
File 'dummy.txt.asc' exists. Overwrite? (y/N) y
Test case 3. Same as Test 2 but we echo password
We could think that passing the password will help but ....
echo "xxxxxxxx" | gpg --batch --passphrase-fd 0 --homedir 50_ReleaseBOMUpstream/.gnupg --local-user 4BD5F787F27F97744BC09E019C1CA69653E98E56 --armor --detach-sign --no-default-keyring --secret-keyring 50_ReleaseBOMUpstream/.gnupg/secring.gpg --keyring 50_ReleaseBOMUpstream/.gnupg/pubring.gpg --output dummy.txt.asc dummy.txt
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' to gpg-agent
gpg: [don't know]: invalid packet (ctb=00)
gpg: read_block: read error: Invalid packet
gpg: import from '/Users/cmoullia/.jenkins/workspace/50_ReleaseBOMUpstream/.gnupg/secring.gpg' failed: Invalid keyring
gpg: skipped "4BD5F787F27F97744BC09E019C1CA69653E98E56": No secret key
gpg: signing failed: No secret key
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Why
mvn gpg:sign
tries to fetch thesecring.gpg
file from theWORKSPACE/JOB_NAME/.gnugpg
folder while in fact I defined it underWORKSPACE/.gnugpg
?