Secret for publishing signed jars must be updated

[emitc2h]

Following the recent sbt upgrade, the "publish signed jars" step broke cause it relies on an encrypted file travis/travis.tar extracted in travis/extract.sh which has some code in it that still relies on the old sbt. We need to either:

• someone with the right key/iv/passphrase to decrypt the file to fix it
• overhaul the publishing mechanism such that we don't keep encrypted secrets in the repo.

I haven't researched how to do the latter (and I may not have the time/resources), but it seems preferable in the long-term and I assume other open sources projects have figured it out.

We won't be able to make a new MLeap release until this is fixed.

[jsleight]

@ancasarb do you know anything about this?

[ancasarb]

@emitc2h @jsleight i have some idea about what's going wrong here.

i believe the issue is from this step https://github.com/combust/mleap/blob/master/travis/extract.sh and that travis.tar archive that it uses.

in the unsafe.credentials.sbt file that it generates, it likely has a first line
import com.typesafe.sbt.SbtPgp._

which looks like it should be changed to

import com.jsuereth.sbtpgp.SbtPgp._

from looking at https://github.com/sbt/sbt-pgp/commit/a8c3faefcb647e5f338d6f7d837c257750ee54e2

if any of you is more familiar with sbt-pgp, any help is greatly appreciated. i'll also try to understand a bit more how to fix this this week.

[ancasarb]

@emitc2h @jsleight i can share the secrets as well, if you just ping me an email.