search

sbt / sbt-ci-release

sbt plugin to automate Sonatype releases from GitHub Actions
Apache License 2.0
286 stars 76 forks source link

GPG failure #225

Closed mijicd closed 2 years ago

mijicd commented 2 years ago

I recently noticed a few of our builds failing with the following GPG error:

[error] java.lang.RuntimeException: Failure running 'gpg --batch --pinentry-mode loopback --passphrase *** --detach-sign --armor --use-agent --output /home/runner/work/zio/zio/concurrent/native/target/scala-2.11/zio-concurrent_native0.4_2.11-2.0.0-RC2.pom.asc /home/runner/work/zio/zio/concurrent/native/target/scala-2.11/zio-concurrent_native0.4_2.11-2.0.0-RC2.pom'.  Exit code: 2
[error]     at scala.sys.package$.error(package.scala:30)
[error]     at com.jsuereth.sbtpgp.CommandLineGpgSigner.sign(PgpSigner.scala:74)
[error]     at com.jsuereth.sbtpgp.PgpSettings$.$anonfun$signingSettings$2(PgpSettings.scala:151)
[error]     at scala.collection.TraversableLike.$anonfun$flatMap$1(TraversableLike.scala:293)
[error]     at scala.collection.immutable.Map$Map4.foreach(Map.scala:493)
[error]     at scala.collection.TraversableLike.flatMap(TraversableLike.scala:293)
[error]     at scala.collection.TraversableLike.flatMap$(TraversableLike.scala:290)
[error]     at scala.collection.AbstractTraversable.flatMap(Traversable.scala:108)
[error]     at com.jsuereth.sbtpgp.PgpSettings$.$anonfun$signingSettings$1(PgpSettings.scala:146)
[error]     at scala.Function1.$anonfun$compose$1(Function1.scala:49)
[error]     at sbt.internal.util.$tilde$greater.$anonfun$$u2219$1(TypeFunctions.scala:62)
[error]     at sbt.std.Transform$$anon$4.work(Transform.scala:68)
[error]     at sbt.Execute.$anonfun$submit$2(Execute.scala:282)
[error]     at sbt.internal.util.ErrorHandling$.wideConvert(ErrorHandling.scala:23)
[error]     at sbt.Execute.work(Execute.scala:291)
[error]     at sbt.Execute.$anonfun$submit$1(Execute.scala:282)
[error]     at sbt.ConcurrentRestrictions$$anon$4.$anonfun$submitValid$1(ConcurrentRestrictions.scala:265)
[error]     at sbt.CompletionService$$anon$2.call(CompletionService.scala:64)
[error]     at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[error]     at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
[error]     at java.util.concurrent.FutureTask.run(FutureTask.java:266)
[error]     at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
[error]     at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
[error]     at java.lang.Thread.run(Thread.java:748)

You can find the complete failure log in the following builds:

We're running the sbt-ci-release 1.5.10 and GPG 2.2.19. I can confirm that we didn't change the keys since our last successful build and that they're still valid.

While trying to mitigate the issue, I found this article by @eed3si9n and tried the approach with a helper script, but later on, I realized it's already a part of the plugin and doesn't fix the problem.

I'd appreciate it if you could give me some advice on how to solve the problem :pray: .

mijicd commented 2 years ago

Update: I suspected that the expired key was causing this issue, so I created a new one and updated the environment variables accordingly. Unfortunately, the problem is still present.

ahjohannessen commented 2 years ago

Getting the same error

eed3si9n commented 2 years ago

Not sure what the root cause is but the key observation is that the log says:

[info] gpg: no default secret key: No secret key
[info] gpg: signing failed: No secret key

Also is the key registered to https://keyserver.ubuntu.com/?

mijicd commented 2 years ago

Also is the key registered to https://keyserver.ubuntu.com/?

That's the odd part, both the old key, and the one I replaced it with are registered.

eed3si9n commented 2 years ago

I just published sbt-pgp 2.2.0-M2 using sbt-ci-release 1.5.10 as a test - https://github.com/sbt/sbt-pgp/runs/4993903219 There was a hick-up of sbt-sonatype not picking up the staging repo status after it was released, but the GPG signing part worked fine for me:

[info]  published sbt-pgp to /home/runner/work/sbt-pgp/sbt-pgp/target/sonatype-staging/2.2.0-M2/com/github/sbt/sbt-pgp_2.12_1.0/2.2.0-M2/sbt-pgp-2.2.0-M2.jar
[info]  published sbt-pgp to /home/runner/work/sbt-pgp/sbt-pgp/target/sonatype-staging/2.2.0-M2/com/github/sbt/sbt-pgp_2.12_1.0/2.2.0-M2/sbt-pgp-2.2.0-M2-javadoc.jar
[info]  published sbt-pgp to /home/runner/work/sbt-pgp/sbt-pgp/target/sonatype-staging/2.2.0-M2/com/github/sbt/sbt-pgp_2.12_1.0/2.2.0-M2/sbt-pgp-2.2.0-M2.jar.asc
[info]  published sbt-pgp to /home/runner/work/sbt-pgp/sbt-pgp/target/sonatype-staging/2.2.0-M2/com/github/sbt/sbt-pgp_2.12_1.0/2.2.0-M2/sbt-pgp-2.2.0-M2-javadoc.jar.asc
[info]  published sbt-pgp to /home/runner/work/sbt-pgp/sbt-pgp/target/sonatype-staging/2.2.0-M2/com/github/sbt/sbt-pgp_2.12_1.0/2.2.0-M2/sbt-pgp-2.2.0-M2.pom.asc
[info]  published sbt-pgp to /home/runner/work/sbt-pgp/sbt-pgp/target/sonatype-staging/2.2.0-M2/com/github/sbt/sbt-pgp_2.12_1.0/2.2.0-M2/sbt-pgp-2.2.0-M2-sources.jar
[info]  published sbt-pgp to /home/runner/work/sbt-pgp/sbt-pgp/target/sonatype-staging/2.2.0-M2/com/github/sbt/sbt-pgp_2.12_1.0/2.2.0-M2/sbt-pgp-2.2.0-M2-sources.jar.asc
[info]  published sbt-pgp to /home/runner/work/sbt-pgp/sbt-pgp/target/sonatype-staging/2.2.0-M2/com/github/sbt/sbt-pgp_2.12_1.0/2.2.0-M2/sbt-pgp-2.2.0-M2.pom

afaict the same version of gpg:

Running ci-release.
  branch=refs/tags/v2.2.0-M2
gpg (GnuPG) 2.2.19
mijicd commented 2 years ago

After your message, I decided to restart the process using the second key, and it turns out I made a mistake when setting the PGP_SECRET value. Once I fixed that, we got a successful build!

Thank you very much for checking out, and sorry for the disturbance!