search

ctron / rpm-builder

Maven RPM builder plugin
https://ctron.github.io/rpm-builder
Eclipse Public License 2.0
56 stars 32 forks source link

Can't get signing to work #100

Open devinfluencer opened 3 months ago

devinfluencer commented 3 months ago

Hey ctron,

I can't get signing on Windows to work. I installed GPG and created/imported a secret key. I always get Unable to load GPG key '4A9CC3A2' from 'C:\Users\thomas\AppData\Roaming\gnupg\pubring.kbx'. My pom.xml snippet is

                        <signature>
                            <skip>false</skip>
                            <keyId>4A9CC3A2</keyId>
                            <keyringFile>${user.home}/AppData/Roaming/gnupg/pubring.kbx</keyringFile>
                            <passphrase>secret</passphrase>
                        </signature>

gpg has the following entry:

gpg --list-secret-keys --keyid-format short
C:\Users\thomas\AppData\Roaming\gnupg\pubring.kbx
-------------------------------------------------
sec   rsa2048/4A9CC3A2 2024-08-07 [SC]
      3BBA7450DD527E34BA3BF707DC0EFA7E4A9CC3A2
uid      [ unbekannt ] Package Manager (GPG Code signing key) <pmanager@xxxx.de>

I noticed in newer versions (>>2.3, README) gpg can use a sqlite db for storing keys. First my setup used this mode and it didn't work. I then changed mode and reimported the key but to no avail. Does rpm-builder support both modes?

Thanks, Thomas

Btw, creating the rpm without signing and using gpg manually to sign afterwards worked.

ctron commented 3 months ago

I haven't used it in quite a while. So I am not sure I can help.

csGrebo commented 2 months ago

So, I've run into this particular issue before working on an experiment. Unfortunately, the proper fix looks to require a fair bit of updates throughout the dependency chain.

My chasing through the code yielded this: The mojo calls Eclipse Packager's PgpHelper, which in turn goes to BouncyCastle. The issue there is that BouncyCastle does not have proper support for GPG 2.2+ Keybox files, especially for handling the secret/private keys.

See https://github.com/bcgit/bc-java/issues/794 and https://github.com/bcgit/bc-java/issues/1320

The interim solution that I've ended up using is to export the required key pairs to a legacy keyring and feeding that into the plugin, since thankfully the main keyring/keybox is not required.

JGit has a solution, but it'd need a fair bit of retooling to work outside of the full infrastructure that JGit uses

devinfluencer commented 2 months ago

Thanks a lot. I installed the GPG 1.4 legacy version and imported my private key. Now rpm-builder signs.