Open yurishkuro opened 6 years ago
encrypted_677f232983c0_key
comes automatically from Travis. The prepare-signing.sh
script, however, takes the key/value as input to decrypt the signing key, used to sign the final artifacts that are uploaded to Nexus (Maven Central).
I expect the encrypted_677f232983c0_key
to be repository-dependent, so, the plain text signing-key
needs to be encrypted with something like travis encrypt-file signing-key.asc
.
It's strange that the repo doesn't have these env vars, but could it be that this repo has no encrypted vars yet? Perhaps this is created on-demand by Travis?
encrypted_677f232983c0_key
comes from Travis, but someone did add it there
I can do the same, but my question was whether we want to use some personal signing-key.asc
or did we use a shared one?
but someone did add it there
Someone, or something? I think travis encrypt
does that on the first run.
my question was whether we want to use some personal signing-key.asc or did we use a shared one?
Looks like we are currently using a personal one:
$ gpg --verify jaeger-core-0.27.0.jar.asc jaeger-core-0.27.0.jar
gpg: Signature made Wed 18 Apr 2018 12:45:06 PM CEST using RSA key ID 9A2E1C5E
gpg: Good signature from "Juraci Paixão Kröhling <jpkroehling+jaeger-client-java@redhat.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 2D10 9718 459E C01B 3C13 5D67 8ECC 15DC 9A2E 1C5E
Same for 0.27.0-RC1:
$ gpg --verify jaeger-core-0.27.0-RC1.jar.asc jaeger-core-0.27.0-RC1.jar
gpg: Signature made Wed 11 Apr 2018 03:44:24 PM CEST using RSA key ID 4F9D21F5
gpg: Can't check signature: public key not found
$ gpg --recv-keys 4F9D21F5
gpg: requesting key 4F9D21F5 from hkp server keys.gnupg.net
gpg: key 4F9D21F5: public key "Pavol Loffay <p.loffay@gmail.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
That said, it might be worth considering using a single, trusted key. Something like: packaging@jaegertracing.io
.
The travis file contains this line:
I believe in the original repo these variables were defined in Travis itself, rather than being provided via encrypted vars in .travis.yaml (added in https://github.com/jaegertracing/jaeger-client-java/pull/201).
@jpkrohling do you remember what was the source of the values? Did you encode your own keys?
This repo doesn't have these variables anywhere so the automated publishing from tag fails.