From 2ad59b9f802e051dabcad42dbfd64f6e8d57b808 Mon Sep 17 00:00:00 2001
From: Ali Beyad <abeyad@google.com>
Date: Mon, 3 Jun 2024 14:57:27 +0000
Subject: [PATCH] ci/mobile: Update the Mobile Release job GPG commands and
 instructions

Signed-off-by: Ali Beyad <abeyad@google.com>
---
 .github/workflows/mobile-release.yml          | 15 +++-----
 .../root/development/releasing/releasing.rst  | 34 ++++++++++---------
 2 files changed, 22 insertions(+), 27 deletions(-)

diff --git a/.github/workflows/mobile-release.yml b/.github/workflows/mobile-release.yml
index bba5b626eeaf..46f0fbed3521 100644
--- a/.github/workflows/mobile-release.yml
+++ b/.github/workflows/mobile-release.yml
@@ -109,17 +109,10 @@ jobs:
     - name: 'Configure gpg signing'
       env:
         GPG_KEY: ${{ secrets.EM_GPG_KEY }}
-        GPG_KEY_NAME: ${{ secrets.EM_GPG_KEY_NAME }}
         GPG_PASSPHRASE: ${{ secrets.EM_GPG_PASSPHRASE }}
       run: |
         # https://github.com/keybase/keybase-issues/issues/2798
         export GPG_TTY=$(tty)
-        # The key ID C9ADE25A75333454 was obtained from a previous
-        # run of the Mobile Release job. The key ID is consistent
-        # between runs. Hard-coding the key ID is more straightforward
-        # than using `list-secret-keys` to parse out the correct
-        # key ID.
-        export GPG_DEFAULT_KEY=C9ADE25A75333454
         # Import gpg keys and warm the passphrase to avoid the gpg
         # passphrase prompt when initating a deploy
         # `--pinentry-mode=loopback` could be needed to ensure we
@@ -128,10 +121,10 @@ jobs:
         gpg --passphrase $GPG_PASSPHRASE --batch --import signing-key
         shred signing-key
 
-        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}.aar
-        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-pom.xml
-        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-javadoc.jar
-        gpg --default-key $GPG_DEFAULT_KEY --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-sources.jar
+        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}.aar
+        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-pom.xml
+        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-javadoc.jar
+        gpg --pinentry-mode=loopback --passphrase $GPG_PASSPHRASE -ab ${{ matrix.output }}-sources.jar
     - name: 'Release to sonatype repository'
       env:
         READWRITE_USER: ${{ secrets.EM_SONATYPE_USER }}
diff --git a/mobile/docs/root/development/releasing/releasing.rst b/mobile/docs/root/development/releasing/releasing.rst
index f7914b93de9a..3a85c27766c2 100644
--- a/mobile/docs/root/development/releasing/releasing.rst
+++ b/mobile/docs/root/development/releasing/releasing.rst
@@ -37,29 +37,31 @@ For example: January 25, 2020: ``0.3.1.20200125``.
 GPG Key
 ======================
 
-On 2024-04-20 the GPG key used to sign releases will expire. To extend the key's expiration date,
-follow these steps:
+NOTE: The `gpg` commands below may require running with `sudo`.
 
-Import the key locally::
+To update the GPG key, use the following steps:
+
+1. Generate a new GPG public/private key pair and follow the interactive prompt.
+
+    $ gpg --full-generate-key
+
+2. As part of GPG key generation, you will create a PASSPHRASE. Note it down.
+3. For the `Real Name`, enter `Envoy Release Bot` and for the `email`, enter `noreply@envoyproxy.io`.
+4. After the generate key command has finished, run the following to see the key that was created:
 
-    $ echo $GPG_KEY | base64 --decode > signing-key
-    $ gpg --passphrase $GPG_PASSPHRASE --batch --import signing-key
     $ gpg --list-keys
 
-Follow the instructions here on
-`Dealing with Expired Keys <https://central.sonatype.org/publish/requirements/gpg/#dealing-with-expired-keys>`_
-to extend the key and sub key expiration dates.
+5. Use the key ID from the `--list-keys` command to show the private key:
 
-Re-distribute the new public key:
+    $ gpg --armor --export-secret-keys $KEY_ID
 
-    $ gpg --keyserver keyserver.ubuntu.com --send-keys $KEY_ID
+6. Re-distribute the new public key:
 
-Export the public/private keys, store them in a safe place::
+    $ gpg --keyserver keyserver.ubuntu.com --send-keys $KEY_ID
 
-    $ gpg -a --export $KEY_ID > envoy.mobile.gpg.public
-    $ gpg -a --export-secret-keys $KEY_ID > envoy.mobile.gpg.private
+7. Ask an Envoy GitHub repo admin to update the following secrets:
 
-Update the GitHub Action ``GPG_KEY`` secret with the Base64 encoded value
-of the private key.
+    .. code-block:: console
 
-    $ cat envoy.mobile.gpg.private | base64
+      EM_GPG_PASSPHRASE=<passphrase noted down from step 2>
+      EM_GPG_KEY=<secret key from step 5>