sbtenv-gpg-macos.md

Using GPG with sbtenv on MacOS

Issue

I rececently downloaded sbtenv to better manage my Scala SBT environmnets per project. When I tried to install any version of SBT using the sbtenv command - it would fail. Checking the stdout I found the message gpg: Can't check signature: No public key at the end of the output.

Steps to reproduce

Install sbtenv

brew install sbtenv

Set up environmnet

echo '''
# ScalaEnv / SBTEnv
eval "$(scalaenv init -)"
eval "$(sbtenv init -)"
''' >> ~/.bash_profile

Install any sbt version

sbtenv install sbt-1.3.10

> Installing 1.3.10:
> Downloading 1.3.10 archives...
> ######################################################################## 100.0%
> ######################################################################## 100.0%
> Checking GPG signature...
> gpg: Signature made Wed Apr 15 05:28:02 2020 CEST
> gpg:                using RSA key 2EE0EA64E40A89B84B2DF73499E82A75642AC823
> gpg: Can't check signature: No public key

Notice the gpg: Can't check signature: No public key error message

How to fix

Upgrade gnupg

# not strictly necessary
brew upgrade gnupg

Download the sbt public keyfile found in the logs: 2EE0EA64E40A89B84B2DF73499E82A75642AC823. If you have trouble here try a different --keyserver or consider disconnecting from your VPN.

Or, you may download the keyfile via the browser by searching for the public keyfile and then do gpg --import /path/to/downloaded/keyfile.

gpg —-keyserver hkp://ipv4.pool.sks-keyservers.net \
    --receive-keys 2EE0EA64E40A89B84B2DF73499E82A75642AC823

> gpg: key 99E82A75642AC823: public key "sbt build tool <scalasbt@gmail.com>" imported
> gpg: Total number processed: 1
> gpg:               imported: 1

Great, that looks promising!

Let's check that we've imported the key to our keyring

gpg --list-keys

> ...
> pub   rsa4096 2015-05-29 [SC]
>       2EE0EA64E40A89B84B2DF73499E82A75642AC823
> uid           [ unknown] sbt build tool <scalasbt@gmail.com>
> sub   rsa4096 2015-05-29 [E]

Cool! 😎

Retry sbtenv install

sbtenv install sbt-1.3.10

> Installing 1.3.10:
> Downloading 1.3.10 archives...
> ######################################################################## 100.0%
> ######################################################################## 100.0%
> Checking GPG signature...
> gpg: Signature made Wed Apr 15 05:28:02 2020 CEST
> gpg:                using RSA key 2EE0EA64E40A89B84B2DF73499E82A75642AC823
> gpg: Good signature from "sbt build tool <scalasbt@gmail.com>" [unknown]
> gpg: WARNING: This key is not certified with a trusted signature!
> gpg:          There is no indication that the signature belongs to the owner.
> Primary key fingerprint: 2EE0 EA64 E40A 89B8 4B2D  F734 99E8 2A75 642A C823
> Extracting files...
> 1.3.10 installed.

Success! ✅

Check that sbtenv is working

mkdir algos
cd algos

sbtenv versions
> 1.3.10

sbtenv rehash

sbtenv global 1.3.10

sbtenv version
> 1.3.10 (set by /Users/d.stevenson/projects/scala/algos/.sbt-version)

echo 'ThisBuild / scalaVersion := "2.13.1"' >> build.sbt
mkdir project
echo "sbt.version=1.3.10" >> project/build.properties

sbt initialize
> [info] Loading project definition from /Users/d.stevenson/projects/scala/algos/project
> [info] Set current project to algos (in build file:/Users/d.stevenson/projects/scala/algos/)

sbt
> [info] Loading project definition from /Users/d.stevenson/projects/scala/algos/project
> [info] Set current project to algos (in build file:/Users/d.stevenson/projects/scala/algos/)
> [info] sbt server started at local:///Users/d.stevenson/.sbt/1.0/server/50d5331839eb36567b0a/sock

sbt:algos> about
> [info] This is sbt 1.3.10
> [info] The current project is ProjectRef(uri("file:/Users/d.stevenson/projects/scala/algos/"), "algos") 0.1.0-SNAPSHOT
> [info] The current project is built against Scala 2.13.1
> [info] Available Plugins
> [info]  - sbt.ScriptedPlugin
> [info]  - sbt.plugins.CorePlugin
> [info]  - sbt.plugins.Giter8TemplatePlugin
> [info]  - sbt.plugins.IvyPlugin
> [info]  - sbt.plugins.JUnitXmlReportPlugin
> [info]  - sbt.plugins.JvmPlugin
> [info]  - sbt.plugins.SbtPlugin
> [info]  - sbt.plugins.SemanticdbPlugin
> [info] sbt, sbt plugins, and build definitions are using Scala 2.12.10

sbt:algos> console
> https://repo1.maven.org/maven2/org/scala-sbt/compiler-bridge_2.13/1.3.5/compiler-bridge_2.13-1.3.5.pom
>   100.0% [##########] 2.8 KiB (7.8 KiB / s)
> https://repo1.maven.org/maven2/org/scala-sbt/compiler-bridge_2.13/1.3.5/compiler-bridge_2.13-1.3.5-sources.jar
>   100.0% [##########] 47.8 KiB (487.3 KiB / s)
> [info] Non-compiled module 'compiler-bridge_2.13' for Scala 2.13.1. Compiling...
> 8 warnings found
> [info]   Compilation completed in 11.066s.
> [info] Starting scala interpreter...
> Welcome to Scala 2.13.1 (OpenJDK 64-Bit Server VM, Java 1.8.0_202).
> Type in expressions for evaluation. Or try :help.

scala> var x = "helloWorld"
x: String = helloWorld

scala> x
res0: String = helloWorld

scala> :q

> [success] Total time: 166 s (02:46), completed Jun 25, 2020 12:50:41 AM

sbt:algos> exit

> [info] shutting down sbt server

Seems to be working ✅

If you found this gist helpful - please click star! ⭐

Thanks a lot for those instructions!
Although the command you mentioned doesn't seem right:

gpg —-keyserver hkp://ipv4.pool.sks-keyservers.net \
    --receive-keys D7FAB8B6C6E92FCB107428D43C0CBB35C73E83F6

First, it should be 2EE0EA64E40A89B84B2DF73499E82A75642AC823 instead, as mentioned elsewhere in the gist.
Secondly, the --keyserver option doesn't seem to be required. And even causes an issue on my system:

~ gpg —-keyserver ipv4.pool.sks-keyservers.net --receive-keys 2EE0EA64E40A89B84B2DF73499E82A75642AC823
gpg: Note: '--receive-keys' is not considered an option
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
usage: gpg [options] [filename]

First, it should be 2EE0EA64E40A89B84B2DF73499E82A75642AC823 instead, as mentioned elsewhere in the gist.

Thanks, fixed.

Secondly, the --keyserver option doesn't seem to be required. And even causes an issue on my system

It is now updated and also now provides an alternative to the keyserver download with --import.