scala-cli icon indicating copy to clipboard operation
scala-cli copied to clipboard

Published 20 hours ago verified publisher icon VirtusLab

Publish command not working with sbt-ci-release compatible credentials

Open keynmol opened this issue 1 year ago • 0 comments

I have an org on github that has been publishing libraries using sbt-ci-release since forever.

To do that, we setup the secrets which I confirmed to be present in Github Actions output:

PGP_PASSPHRASE: ***
PGP_SECRET: ***

SONATYPE_PASSWORD: ***
SONATYPE_USERNAME: ***

I've setup directives as such:

//> using publish.computeVersion git:tag
//> using publish.name smithy4s-fetch
//> using publish.organization tech.neander
//> using publish.repository "central"
//> using publish.secretKey env:PGP_SECRET
//> using publish.secretKeyPassword env:PGP_PASSPHRASE

But signing with default settings doesn't work:

 ⠁ Signed 0 / 4 files
 ⠁ Signed 0 / 4 files (1 on-going)
Exception in thread "main" java.lang.IllegalArgumentException: Can't find private key in the key ring.
    at scala.cli.signing.util.BouncycastleSigner$.readSecretKey(BouncycastleSigner.scala:165)
    at scala.cli.signing.commands.PgpSign$.run(PgpSign.scala:21)
    at scala.cli.signing.commands.PgpSign$.run(PgpSign.scala:17)
    at caseapp.core.app.CaseApp.main(CaseApp.scala:162)
    at caseapp.core.app.CommandsEntryPoint.main(CommandsEntryPoint.scala:115)
    at scala.cli.signing.ScalaCliSigning$.main(ScalaCliSigning.scala:35)
    at scala.cli.signing.ScalaCliSigning.main(ScalaCliSigning.scala)
 ⠁ Signed 1 / 4 files
 ✍️  Signed 1 files
 ✍️  Signed 1 files

In the end I was able to publish by writing GPG to a file using bash script:

#!/usr/bin/env bash
set -e
echo "$PGP_SECRET" | base64 -d -i - > /tmp/signing-key.gpg
echo "$PGP_PASSPHRASE" | gpg --pinentry-mode loopback --passphrase-fd 0 --import /tmp/signing-key.gpg
(echo "$PGP_PASSPHRASE"; echo; echo) | gpg --command-fd 0 --pinentry-mode loopback --change-passphrase $(gpg --list-secret-keys --with-colons 2> /dev/null | grep '^sec:' | cut --delimiter ':' --fields 5 | tail -n 1)

and using --signer gpg with key ID. It's not very pretty, but I'm at least happy I managed to publish it..

My question is: what would it take to make sure credentials created by following sbt-ci-release steps can be made to work with scala-cli OOTB?

The repo in question is https://github.com/neandertech/smithy4s-fetch/

keynmol avatar Jul 04 '24 11:07 keynmol