Add GPG Signature to "flow-php.phar" artifact #680
Conversation
|
that was quick! I'm going to merge it tomorrow morning after setting gh secrets, I'm kind of brain dead today 😅 |
|
no rush! I was procrastinating here and wanted to do something useful :) glad to help! |
|
Thanks @flavioheleno next release is going to be signed 🚀 |
| run: > | ||
| gpg | ||
| --local-user ${{ env.GPG_USER_EMAIL }} | ||
| --passphrase ${{ secrets.GPG_PASSPHRASE }} |
There was a problem hiding this comment.
hey @flavioheleno I just checked and gpg does not seem to have --passphrase option, at least in version 2.4.3.
I was trying to sign it up locally and it still showed me a password prompt
There was a problem hiding this comment.
I just tried it with gpg 2.2.41 and it worked, the workflow uses gpg 2.2.27 (you can check it here: https://github.com/flavioheleno/watchr/actions/runs/6320066502/job/17162028645).
I'll take a look and see if anything has changed in between releases in the mean time.
note: it will show the password prompt if you pass an invalid password to --passphrase.
There was a problem hiding this comment.
it seems that gpg 2.3+ is slowly replacing the word passphrase with the word password, which may be causing the error on your end.
as we are using a fixed commit hash for this specific workflow (crazy-max/ghaction-import-gpg@72b6676b71ab476b77e676928516f6982eef7a41) there will be no problem as long as it is kept this way, but once it gets updated, a review shall be required to ensure it doesn't break.
details here: https://dev.gnupg.org/T3902
There was a problem hiding this comment.
Is it possible that it works not because --passphrase option here but through Import GPG Key step?
Could you try it without providing --passphrase to see if anything changes? It seems to not be available on the list of options which makes me think that it might be redundant here.
Not having --passphrase as an option makes sense as it won't keep the plain password in shell history.
$ gpg --help
gpg (GnuPG) 2.4.3
libgcrypt 1.10.2
Copyright (C) 2023 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /Users/norbert/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data
Commands:
-s, --sign make a signature
--clear-sign make a clear text signature
-b, --detach-sign make a detached signature
-e, --encrypt encrypt data
-c, --symmetric encryption only with symmetric cipher
-d, --decrypt decrypt data (default)
--verify verify a signature
-k, --list-keys list keys
--list-signatures list keys and signatures
--check-signatures list and check key signatures
--fingerprint list keys and fingerprints
-K, --list-secret-keys list secret keys
--generate-key generate a new key pair
--quick-generate-key quickly generate a new key pair
--quick-add-uid quickly add a new user-id
--quick-revoke-uid quickly revoke a user-id
--quick-set-expire quickly set a new expiration date
--full-generate-key full featured key pair generation
--generate-revocation generate a revocation certificate
--delete-keys remove keys from the public keyring
--delete-secret-keys remove keys from the secret keyring
--quick-sign-key quickly sign a key
--quick-lsign-key quickly sign a key locally
--quick-revoke-sig quickly revoke a key signature
--sign-key sign a key
--lsign-key sign a key locally
--edit-key sign or edit a key
--change-passphrase change a passphrase
--export export keys
--send-keys export keys to a keyserver
--receive-keys import keys from a keyserver
--search-keys search for keys on a keyserver
--refresh-keys update all keys from a keyserver
--import import/merge keys
--card-status print the card status
--edit-card change data on a card
--change-pin change a card's PIN
--update-trustdb update the trust database
--print-md print message digests
--server run in server mode
--tofu-policy VALUE set the TOFU policy for a key
Options controlling the diagnostic output:
-v, --verbose verbose
-q, --quiet be somewhat more quiet
--options FILE read options from FILE
--log-file FILE write server mode logs to FILE
Options controlling the configuration:
--default-key NAME use NAME as default secret key
--encrypt-to NAME encrypt to user ID NAME as well
--group SPEC set up email aliases
--openpgp use strict OpenPGP behavior
-n, --dry-run do not make any changes
-i, --interactive prompt before overwriting
Options controlling the output:
-a, --armor create ascii armored output
-o, --output FILE write output to FILE
--textmode use canonical text mode
-z N set compress level to N (0 disables)
Options controlling key import and export:
--auto-key-locate MECHANISMS use MECHANISMS to locate keys by mail address
--auto-key-import import missing key from a signature
--include-key-block include the public key in signatures
--disable-dirmngr disable all access to the dirmngr
Options to specify keys:
-r, --recipient USER-ID encrypt for USER-ID
-u, --local-user USER-ID use USER-ID to sign or decrypt
(See the man page for a complete listing of all commands and options)
Examples:
-se -r Bob [file] sign and encrypt for user Bob
--clear-sign [file] make a clear text signature
--detach-sign [file] make a detached signature
--list-keys [names] show keys
--fingerprint [names] show fingerprints
Please report bugs to <https://bugs.gnupg.org>.There was a problem hiding this comment.
Hey, sorry, I did not see your reply earlier.
I've tried the same command without --passphrase and it prompts for it.
It works not because of "Import GPG Key" step, it works because it is a valid command option for the version installed on the runner.
If you check gpg(1), you'll see the following section, where --passphrase is defined:
Change Log
Added
Description
This PR adds two new steps to build-release workflow:
GPG_PRIVATE_KEY, a GH secret) - it's a good practice to secure such key with a passphrase (GPG_PASSPHRASE, also a GH secret);GPG_USER_EMAIL(format:user@host.tld).It also includes the new
flow-php.phar.ascartifact to "Upload binaries to release" step.Closes #512