Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't get signing to work #100

Open
devinfluencer opened this issue Aug 9, 2024 · 3 comments
Open

Can't get signing to work #100

devinfluencer opened this issue Aug 9, 2024 · 3 comments

Comments

@devinfluencer
Copy link

Hey ctron,

I can't get signing on Windows to work. I installed GPG and created/imported a secret key.
I always get Unable to load GPG key '4A9CC3A2' from 'C:\Users\thomas\AppData\Roaming\gnupg\pubring.kbx'.
My pom.xml snippet is

                        <signature>
                            <skip>false</skip>
                            <keyId>4A9CC3A2</keyId>
                            <keyringFile>${user.home}/AppData/Roaming/gnupg/pubring.kbx</keyringFile>
                            <passphrase>secret</passphrase>
                        </signature>

gpg has the following entry:

gpg --list-secret-keys --keyid-format short
C:\Users\thomas\AppData\Roaming\gnupg\pubring.kbx
-------------------------------------------------
sec   rsa2048/4A9CC3A2 2024-08-07 [SC]
      3BBA7450DD527E34BA3BF707DC0EFA7E4A9CC3A2
uid      [ unbekannt ] Package Manager (GPG Code signing key) <[email protected]>

I noticed in newer versions (>>2.3, README) gpg can use a sqlite db for storing keys. First my setup used this mode and it didn't work. I then changed mode and reimported the key but to no avail.
Does rpm-builder support both modes?

Thanks,
Thomas

Btw, creating the rpm without signing and using gpg manually to sign afterwards worked.

@ctron
Copy link
Owner

ctron commented Aug 9, 2024

I haven't used it in quite a while. So I am not sure I can help.

@csGrebo
Copy link

csGrebo commented Aug 10, 2024

So, I've run into this particular issue before working on an experiment. Unfortunately, the proper fix looks to require a fair bit of updates throughout the dependency chain.

My chasing through the code yielded this:
The mojo calls Eclipse Packager's PgpHelper, which in turn goes to BouncyCastle. The issue there is that BouncyCastle does not have proper support for GPG 2.2+ Keybox files, especially for handling the secret/private keys.

See bcgit/bc-java#794 and bcgit/bc-java#1320

The interim solution that I've ended up using is to export the required key pairs to a legacy keyring and feeding that into the plugin, since thankfully the main keyring/keybox is not required.

JGit has a solution, but it'd need a fair bit of retooling to work outside of the full infrastructure that JGit uses

@devinfluencer
Copy link
Author

Thanks a lot.
I installed the GPG 1.4 legacy version and imported my private key.
Now rpm-builder signs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants