Guardian developers: further docs here.
There are 4 steps to performing a credential rotation on the PGP key used by gha-scala-library-release-workflow:
The keypair should have a passphrase-less private key - if you're generating the keypair, you can just enter blank passphrases.
gpg --quick-generate-key "Example Automated Maven Release <[email protected]>"This will give a new key id, eg like EF53C0E05A7067985C09F1B2AAE7330D94C67345.
Maven Central requires that the public PGP key is published to public keyservers - it will reject artifacts that are signed with unknown PGP keys:
Failed: signature-staging, failureMessage:No public key: Key with id: (aae7330d94c67345) was not able to be located on http://pgp.mit.edu:11371/. Upload your public key and try the operation again.
The official instructions
say to use gpg --keyserver to publish the key, but unfortunately this gives
gpg: keyserver send failed: Network is unreachable errors - so instead we have to
manually paste our key into a web form on a PGP keyserver website.
Execute this command to get the new public key copied into your copy-n-paste:
gpg --armor --export [insert key fingerprint here] | pbcopyN.B. The above command uses --export, not --export-secret-key - we do not want
to publicly share our private key.
You can use either (or both) of these keyservers:
- https://keyserver.ubuntu.com/#submitKey - this feels kind of more stable, and search works
- https://pgp.mit.edu/ - Maven Central seems to be checking keys with this keyserver
PGP keyservers are supposed to synchronise with each other, so wherever you publish the
key it should eventually make it to the keyserver that Maven Central is checking with - but
for the time being, publishing to pgp.mit.edu may get the key available sooner.
Execute this command to get the private key copied into your copy-n-paste:
gpg --armor --export-secret-key [insert key fingerprint here] | pbcopy
This can then be pasted into a GitHub secret.
Guardian developers: We use the organisation-level GitHub secret
AUTOMATED_MAVEN_RELEASE_PGP_SECRET -
as it's organisation-level, only an owner of our GitHub organisation can access it.
As the private key had to be made passphrase-less, it is now vulnerable, and should be deleted or edited to add a passphrase.