Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signing #1

Open
sebersole opened this issue Apr 25, 2022 · 5 comments
Open

Signing #1

sebersole opened this issue Apr 25, 2022 · 5 comments

Comments

@sebersole
Copy link

First, I apologize if this is not the correct place to ask usage questions - I could not find any mention in the project though of the expected place to ask them...

I've followed all of the set up for signing artifacts I could find related to this plugin, but cannot get it to work. Signing works fine - I can call the signing tasks themselves and they work. But when publishing, none are generated. I have this:

nexusPublishing {
	repositories {
		sonatype {
			username = ...
			password = ...
		}
	}
}


signing {
	required { !rootProject.ormVersion.isSnapshot && gradle.taskGraph.hasTask("publish") }

	def signingKey = findProperty('signingKey')
	def signingPassword = findProperty('signingPassword')

	useInMemoryPgpKeys(signingKey, signingPassword)

	sign publishing.publications.publishedArtifacts
}

The only difference I saw from the examples was:

//do not generate extra load on Nexus with new staging repository if signing fails
tasks.withType(io.github.gradlenexus.publishplugin.InitializeNexusStagingRepository).configureEach {
  shouldRunAfter(tasks.withType(Sign))
}

Which I don't think should effect whether signing happens or not.

I guess in general, could you point me to some documentation on defining signing with this plugin? Thanks!
@sebersole
Copy link
Author

I may have found "the problem", though no idea why it is a problem. The signing happens on our CI server, so it was not immediately obvious. But digging through the Jenkins console I see this:

* What went wrong:
A problem was found with the configuration of task ':hibernate-jpamodelgen:signPublishedArtifactsPublication' (type 'Sign').
  - In plugin 'org.gradle.signing' type 'org.gradle.plugins.signing.Sign' property 'signatory.keyId' doesn't have a configured value.
    
    Reason: This property isn't marked as optional and no value has been configured.
    
    Possible solutions:
      1. Assign a value to 'signatory.keyId'.
      2. Mark property 'signatory.keyId' as optional.

But these should be picked up by command line properties, right? I have the following:

./gradlew sign -x test --no-scan \
    -Psigning.password=$SIGNING_PASS -Psigning.keyId=$SIGNING_KEY -Psigning.secretKeyRingFile=$SIGNING_KEYRING \
    -Psignatory.password=$SIGNING_PASS -Psignatory.keyId=$SIGNING_KEY -Psignatory.secretKeyRingFile=$SIGNING_KEYRING \

where $SIGNING_PASS, $SIGNING_KEY and $SIGNING_KEYRING come from Jenkin's Credentials plugin. They get used in other (Maven) builds so I know they are correct values.

@sebersole
Copy link
Author

sebersole commented Apr 25, 2022
edited

Someone on StackOverflow[1] indicated that the property names have change from signing.* to signing.gnupg.*. I have tried with both and same failures. I should also mention I have tried all of these:

  1. Project properties (-P)
  2. System props (-D)
  3. Environment variables

All fail. Every combination fails.

[1] https://stackoverflow.com/questions/32816003/how-to-sign-with-gradle-and-gpg2

@szpak
Copy link
Contributor

szpak commented Apr 25, 2022

-Psigning.keyId=$SIGNING_KEY

You use signing.keyId, but signingKey is expected by findProperty('signingKey'). I propose to log the values to stdout (log or println) to verify they are resolved properly. In addition, signing is performed in the Gradle execution with publishToSonatype closeAndReleaseSonatypeStagingRepository (you do not need to call gradlew sign before and you need to use -P... in the second call).

@sebersole
Copy link
Author

Thanks for the reply @szpak !

That was a different iteration. Like I said, I was trying to just use the "new" settings someone mentioned on Stack Overflow. In that second iteration I have:

signing {
	useGpgCmd()
	sign publishing.publications.publishedArtifacts
}

and then have the command line I mentioned:

./gradlew sign -x test --no-scan \
    -Psigning.password=$SIGNING_PASS -Psigning.keyId=$SIGNING_KEY -Psigning.secretKeyRingFile=$SIGNING_KEYRING

and also tried (per SO post):

./gradlew sign -x test --no-scan \
    -Psigning.gnupg.password=$SIGNING_PASS -Psigning.gnupg.keyId=$SIGNING_KEY -Psigning.gnupg.secretKeyRingFile=$SIGNING_KEYRING

Neither command line worked.

@szpak
Copy link
Contributor

szpak commented Apr 27, 2022

The best for CI would be useInMemoryPgpKeys() - see my blog post or the official documentation. We use it in this project and it works fine.

For your first configuration, remember that signingKey is not a key ID, but the key itself.

Having it failing on CI, please paste the command you call (on CI) and the error you have.

Btw, make sure you don't use a SNAPSHOT version as you explicitly disable signing for SNAPSHOTs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@szpak @sebersole