search

s4u / sign-maven-plugin

Maven plugin which creates Open PGP / GPG signatures for all of the project's artifacts
https://www.simplify4u.org/sign-maven-plugin/
Apache License 2.0
47 stars 7 forks source link

PGPException: checksum mismatch at in checksum of 20 bytes #123

Closed vitalijr2 closed 2 years ago

vitalijr2 commented 2 years ago

Describe the bug Cannot sing artifacts, the plugin says

Caused by: org.bouncycastle.openpgp.PGPException: checksum mismatch at in checksum of 20 bytes
    at org.bouncycastle.openpgp.PGPSecretKey.extractKeyData (Unknown Source)
    at org.bouncycastle.openpgp.PGPSecretKey.extractPrivateKey (Unknown Source)
    at org.simplify4u.plugins.sign.openpgp.PGPSigner.loadKey (PGPSigner.java:140)
    at org.simplify4u.plugins.sign.openpgp.PGPSigner.setKeyInfo (PGPSigner.java:81)
    at org.simplify4u.plugins.sign.ArtifactSigner.setKeyInfo (ArtifactSigner.java:102)
    at org.simplify4u.plugins.sign.ArtifactSignerFactory.getSigner (ArtifactSignerFactory.java:57)
    at org.simplify4u.plugins.sign.SignMojo.execute (SignMojo.java:206)

To Reproduce I have prepared key following by Private key preparation:

  1. Made new key with gpg --full-gen-key
  2. Checked a result with gpg --list-secret-keys --keyid-format long
  3. Then exported the private key with 'gpg --armor --export-secret-keys my-private-key-id! > ~/.m2/sign-key.asc`
  4. And finally I ran a build with `mvn clean verify -Prelease -Dsign.keyPass=passphrase

Also I have tried to use an encrypted passphrase but had same result

mvn -Prelease -Dsign.keyPass=encrypted-passphrase= -Dsettings.security=~/.m2/settings-security.xml

Expected behavior Artifacts are signed.

Additional context My plugin configuration:

    <profile>
      <id>release</id>
      <build>
        <plugins>
          <plugin>
            <groupId>org.simplify4u.plugins</groupId>
            <artifactId>sign-maven-plugin</artifactId>
            <version>1.0.1</version>
            <executions>
              <execution>
                <goals>
                  <goal>sign</goal>
                </goals>
              </execution>
            </executions>
          </plugin>
        </plugins>
      </build>
    </profile>
vitalijr2 commented 2 years ago

I have tried to put a passphrase to POM, so my configuration looks like

          <plugin>
            <groupId>org.simplify4u.plugins</groupId>
            <artifactId>sign-maven-plugin</artifactId>
            <version>1.0.1</version>
            <executions>
              <execution>
                <goals>
                  <goal>sign</goal>
                </goals>
                <configuration>
                  <keyPass>non-encrypted-passphrase</keyPass>
                </configuration>
              </execution>
            </executions>
          </plugin>

In this case all works as expected.

But when I run a build with the property -Dsign.keyPass=.... it breaks again.

vitalijr2 commented 2 years ago

And finally I have found the root: the passphrase contains the dollar sign, when I escape it the plugin works as expected. Sorry!