-
Notifications
You must be signed in to change notification settings - Fork 744
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Action is not compatible with latest versions of maven-gpg-plugin #668
Comments
Hi @loesak 👋, |
Hello @loesak, Thank you for creating this issue. We tried to reproduce it on Ubuntu and macOS environments, but were unable to do so. We used a different environment variable name for the GPG passphrase than MAVEN_GPG_PASSPHRASE with the maven-gpg-plugin version 3.2.4. The process was successful by setting pinentry to loopback without adding passphraseEnvName. Please find the screenshots for reference.
|
Okay. Give me a few days to create a proof of concept repo for this issue. |
Okay. Here is a repository that demonstrates the issue. It also demonstrates the workarounds. It also demonstrates adding pinentry loopback to maven configuration no longer relevant. https://github.com/loesak/github-setupjava-issue-668-poc You state you couldn't reproduce using 3.2.4 but the maven snippet you provided is referencing version 3.1.0. Maybe that's why you cannot reproduce?. Here is the documentation from that repo's readme. github-setupjava-issue-668-pocThis repository is a demonstration of the issue identified in the above linked github issue. ScenariosBranch 'main'The code in this branch demonstrates a working build. It is using the workaround identified where using the maven gpg plugin default environment variable name of Also note that the debug output for the maven gpg plugin already includes the argument You can view the contents of this branch here: Here is the associated successful build: Branch 'workaround-specify-non-default-environment-variable-name'The code in this branch demonstrates a working build. It is using the workaround identified where an environment variable name for the GPG passphrase that is not the maven gpg plugin default environment variable name is desired. The environment variable name is specified in both the GitHub workflow file and in the pom.xml file. Also note that the debug output for the maven gpg plugin already includes the argument You can compare the changes to the main branch in this pull request: And here is the associated successful build: Branch 'broken-use-alternative-environment-variable-name-no-loopback'The code in this branch demonstrates the initial issue that worked with earlier versions of the maven gpg plugin. Here an alternative environment variable name is provided for the gpg passphrase without specifying the environment variable name in the maven gpg plugin configuration. This also does not include the pinentry loopback configuration. The build fails because the maven gpg plugin cannot find the gpg passphrase to use for artifact signing. Also note that the debug output for the maven gpg plugin already includes the argument You can compare the changes to the main branch in this pull request: And here is the associated successful build: Branch 'broken-use-alternative-environment-variable-name-yes-loopback'The code in this branch is the same as the Also note that the debug output for the maven gpg plugin now includes two arguments for You can compare the changes to the main branch in this pull request: And here is the associated successful build: |
Hello @loesak, Thank you for pointing that out.We have used version 3.2.4 for the maven-gpg-plugin along with the --pinentry-mode loopback setup, which has made the run successful. For the maven-gpg-plugin version from 2.1 and later(e.g. 3.2.4), The --pinentry-mode loopback argument is indeed included in the GPG signing command for the default environment variable MAVEN_GPG_PASSPHRASE and it ensures that the GPG signing process does not prompt for passphrase input. Instead, it reads the passphrase from the environment variable or configuration file. However, if you are using a non-default environment variable for the GPG passphrase, you will need to explicitly add the --pinentry-mode loopback argument in your pom.xml configuration as mentioned. org.apache.maven.plugins maven-gpg-plugin 1.6 sign --pinentry-mode loopback gpg.passphraseBy explicitly specifying the --pinentry-mode loopback argument in your pom.xml configuration, you ensure that the GPG signing process correctly reads the passphrase from the specified environment variable, whether it is the default MAVEN_GPG_PASSPHRASE or a custom environment variable. We are working to update the documentation to provide clarity for both the default MAVEN_GPG_PASSPHRASE and custom environment variables. We will update the PR details with the documentation update. |
This isn't true, at least with latest versions of the maven plugin. As I demonstrate in my branch "workaround-specify-non-default-environment-variable-name", no loopback configuration in the pom.xml is provided and signing works. |
1 similar comment
This isn't true, at least with latest versions of the maven plugin. As I demonstrate in my branch "workaround-specify-non-default-environment-variable-name", no loopback configuration in the pom.xml is provided and signing works. |
Hello @loesak, Thank you for your response. I believe there is some misunderstanding about the Maven commands we are using. Based on our investigation and the workflow runs, we have confirmed the following:
|
Hello @loesak , Based on maven-gpg-issue#30 comments, the GPG-signing failures of Maven artifacts on Windows runners are not directly related to the actions/setup-java repository. The release of maven-gpg-plugin version 3.2.7 should resolve the issue. Therefore, we are closing this issue. Please feel free to reach out if you need further assistance or clarification to reopen this issue. |
I am happily signing and deploying artifacts w/o specifying Maven GPG Plugin Configuration: https://github.com/loesak/esque/blob/master/pom.xml#L77 It does not matter if you call
Your credibility, and thus the credibility of GitHub and Microsoft, is seriously in question (not that Microsoft's credibility isn't already in question) if this is the quality of response for such a simple issue report. |
Description:
This action is no longer fully compatible with later versions of the
maven-gpg-plugin
.The action takes the variable
gpg-passphrase
which is expected to be the environment variable that holds the value of the secret key, and sets the maven variablegpg.passphrase
in thesettings.xml
file to the value of the environment variable. The original expectation here is that the passphrase will be provided viapinentry
during signing. In later versions of themaven-pgp-plugin
,pinentry
was disabled and the plugin variablepassphrase
was deprecated.It is now expected that the passphrase is taken from an environment variable directly by the plugin. The plugin expects the environment variable name to be either the default of
MAVEN_GPG_PASSPHRASE
or provided via the configuration property ofpassphraseEnvName
.If you used this action with the
maven-gpg-plugin
version1.6
and set the value for action variablegpg-passphrase
to anything other than the default, it would work. However, after upgrading to a later version (e.g.3.2.4
) the build would fail.If the value for the action variable
gpg-passphrase
was set to the expected default ofMAVEN_GPG_PASSPHRASE
(as is shown in GitHub example documentation), then the build would continue to work.Another workaround if wanting to use an environment variable name other than default is to omit the action variable
gpg-passphrase
from the action configuration and specify the alternative variable name in the maven plugin configuration using the configuration variable namepassphraseEnvName
Also note that the documentation for advance usage related to GPG signing contains documentation about setting pinentry to loopback. This also no longer working in later versions of the
maven-gpg-plugin
.Task version:
All
Platform:
Runner type:
Repro steps:
Specify a different environment variable name for
gpg-passphrase
thanMAVEN_GPG_PASSPHRASE
And use version
3.2.4
of themaven-gpg-plugin
as such:Expected behavior:
Build runs successfully
Actual behavior:
Build fails with error during signing.
The text was updated successfully, but these errors were encountered: