Gradle signArchives 无法读取密钥
Gradle signArchives unable to read Secret Key
我正在尝试将我的 Java 库发布到 Maven Central。其中一部分涉及使用 signing gradle 插件对工件进行签名。我需要在不使用密钥环文件 as document here 的情况下对其进行签名,因为我无法提供对密钥环文件的 CI 安全访问。
然而,当我这样做时,我的构建失败了:
FAILURE: Build failed with an exception.
* What went wrong:
Could not evaluate onlyIf predicate for task ':signArchives'.
> Could not read PGP secret key
我做错了什么?我想这与我的 GPG_SIGNING_KEY 有关。
我使用了 gpg --list-secret-keys --keyid-format LONG 的响应中的完整私钥。这不对吗?
我的build.gradle
apply plugin: 'java'
apply plugin: 'signing'
apply plugin: 'maven'
apply from: 'publish.gradle'
sourceCompatibility = 1.8
repositories {
mavenCentral()
}
dependencies {
compile group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.3'
testCompile 'junit:junit:4.11'
}
task Wrapper(type: Wrapper) {
gradleVersion = '5.6.2'
}
我的publish.gradle
apply plugin: 'maven'
apply plugin: 'signing'
def isReleaseBuild() {
return !VERSION.contains("SNAPSHOT")
}
def getReleaseRepositoryUrl() {
return 'https://oss.sonatype.org/service/local/staging/deploy/maven2/'
}
def getSnapshotRepositoryUrl() {
return 'https://oss.sonatype.org/content/repositories/snapshots/'
}
afterEvaluate { project ->
uploadArchives {
repositories {
mavenDeployer {
beforeDeployment { MavenDeployment deployment -> signing.signPom(deployment) }
repository(url: getReleaseRepositoryUrl()) {
def ossrhUsername = OSSRH_USERNAME
def ossrhPassword = OSSRH_PASSWORD
authentication(userName: ossrhUsername, password: ossrhPassword)
}
snapshotRepository(url: getSnapshotRepositoryUrl()) {
def ossrhUsername = OSSRH_USERNAME
def ossrhPassword = OSSRH_PASSWORD
authentication(userName: ossrhUsername, password: ossrhPassword)
}
pom.groupId = GROUP_ID
pom.artifactId = ARTIFACT_ID
pom.version = VERSION
pom.project {
name ARTIFACT_ID
packaging PROJECT_PACKAGING
description PROJECT_DESCRIPTION
url PROJECT_URL
scm {
url SCM_URL
connection SCM_CONNECTION
}
licenses {
license {
name LICENSE_NAME
url LICENSE_URL
}
}
organization {
name = ORGANIZATION_NAME
url = ORGANIZATION_URL
}
developers {
developer {
id DEVELOPER_ID
name DEVELOPER_NAME
email DEVELOPER_EMAIL
}
}
}
}
}
signing {
required { isReleaseBuild() && gradle.taskGraph.hasTask("uploadArchives") }
def signingKey = GPG_SIGNING_KEY
def signingPassword = GPG_SIGNING_PASSWORD
useInMemoryPgpKeys(signingKey, signingPassword)
sign configurations.archives
}
task javadocJar(type: Jar) {
classifier = 'javadoc'
from javadoc
}
task sourcesJar(type: Jar) {
classifier = 'sources'
from sourceSets.main.allSource
}
artifacts {
archives javadocJar, sourcesJar
}
}
}
和 gradle.properties
RELEASE_REPOSITORY_URL='https://oss.sonatype.org/service/local/staging/deploy/maven2/'
SNAPSHOT_REPOSITORY_URL='https://oss.sonatype.org/content/repositories/snapshots/'
GPG_SIGNING_KEY=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
GPG_SIGNING_PASSWORD=the password used to encrypt the key
OSSRH_USERNAME=my ossrh username
OSSRH_PASSWORD=my ossrh password
VERSION=1.0.0
GROUP_ID=com.example
ARTIFACT_ID=project-name
PROJECT_PACKAGING=...
PROJECT_DESCRIPTION=...
PROJECT_URL=...
SCM_URL=...
SCM_CONNECTION=...
LICENSE_NAME=Apache License, Version 2.0
LICENSE_URL=...
ORGANIZATION_NAME=...
ORGANIZATION_URL=...
DEVELOPER_ID=...
DEVELOPER_NAME=...
DEVELOPER_EMAIL=...
如您所料,此处错误的是 PGP 密钥的格式。 useInMemoryPgpKeys 方法需要一个“ascii-armored in-memory PGP secret key”。 gpg --list-secret-keys 仅供人类使用,甚至不显示密钥的“内容”。
您可以使用 gpg --armor --export-secret-keys foobar@example.com 获取正确格式的密钥。使用您自己的密钥 ID(由 gpg --list-secret-keys 返回)或电子邮件地址而不是 foobar@example.com.
要在gradle.properties 文件中使用导出的密钥,您需要转义换行符。例如,您可以像这样为 GPG_SIGNING_KEY 属性 添加一个新的工作行:
gpg --armor --export-secret-keys foobar@example.com \
| awk 'NR == 1 { print "GPG_SIGNING_KEY=" } 1' ORS='\n' \
>> gradle.properties
(有关此处使用的主要 awk 魔法的解释,请参见 this answer。)
根据描述更新您的 gradle.properties 文件(并使用您的构建脚本),我可以使用 ./gradlew signArchives.
成功签署我的虚拟 JAR 文件
我正在尝试将我的 Java 库发布到 Maven Central。其中一部分涉及使用 signing gradle 插件对工件进行签名。我需要在不使用密钥环文件 as document here 的情况下对其进行签名,因为我无法提供对密钥环文件的 CI 安全访问。
然而,当我这样做时,我的构建失败了:
FAILURE: Build failed with an exception.
* What went wrong:
Could not evaluate onlyIf predicate for task ':signArchives'.
> Could not read PGP secret key
我做错了什么?我想这与我的 GPG_SIGNING_KEY 有关。
我使用了 gpg --list-secret-keys --keyid-format LONG 的响应中的完整私钥。这不对吗?
我的build.gradle
apply plugin: 'java'
apply plugin: 'signing'
apply plugin: 'maven'
apply from: 'publish.gradle'
sourceCompatibility = 1.8
repositories {
mavenCentral()
}
dependencies {
compile group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.5.3'
testCompile 'junit:junit:4.11'
}
task Wrapper(type: Wrapper) {
gradleVersion = '5.6.2'
}
我的publish.gradle
apply plugin: 'maven'
apply plugin: 'signing'
def isReleaseBuild() {
return !VERSION.contains("SNAPSHOT")
}
def getReleaseRepositoryUrl() {
return 'https://oss.sonatype.org/service/local/staging/deploy/maven2/'
}
def getSnapshotRepositoryUrl() {
return 'https://oss.sonatype.org/content/repositories/snapshots/'
}
afterEvaluate { project ->
uploadArchives {
repositories {
mavenDeployer {
beforeDeployment { MavenDeployment deployment -> signing.signPom(deployment) }
repository(url: getReleaseRepositoryUrl()) {
def ossrhUsername = OSSRH_USERNAME
def ossrhPassword = OSSRH_PASSWORD
authentication(userName: ossrhUsername, password: ossrhPassword)
}
snapshotRepository(url: getSnapshotRepositoryUrl()) {
def ossrhUsername = OSSRH_USERNAME
def ossrhPassword = OSSRH_PASSWORD
authentication(userName: ossrhUsername, password: ossrhPassword)
}
pom.groupId = GROUP_ID
pom.artifactId = ARTIFACT_ID
pom.version = VERSION
pom.project {
name ARTIFACT_ID
packaging PROJECT_PACKAGING
description PROJECT_DESCRIPTION
url PROJECT_URL
scm {
url SCM_URL
connection SCM_CONNECTION
}
licenses {
license {
name LICENSE_NAME
url LICENSE_URL
}
}
organization {
name = ORGANIZATION_NAME
url = ORGANIZATION_URL
}
developers {
developer {
id DEVELOPER_ID
name DEVELOPER_NAME
email DEVELOPER_EMAIL
}
}
}
}
}
signing {
required { isReleaseBuild() && gradle.taskGraph.hasTask("uploadArchives") }
def signingKey = GPG_SIGNING_KEY
def signingPassword = GPG_SIGNING_PASSWORD
useInMemoryPgpKeys(signingKey, signingPassword)
sign configurations.archives
}
task javadocJar(type: Jar) {
classifier = 'javadoc'
from javadoc
}
task sourcesJar(type: Jar) {
classifier = 'sources'
from sourceSets.main.allSource
}
artifacts {
archives javadocJar, sourcesJar
}
}
}
和 gradle.properties
RELEASE_REPOSITORY_URL='https://oss.sonatype.org/service/local/staging/deploy/maven2/'
SNAPSHOT_REPOSITORY_URL='https://oss.sonatype.org/content/repositories/snapshots/'
GPG_SIGNING_KEY=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
GPG_SIGNING_PASSWORD=the password used to encrypt the key
OSSRH_USERNAME=my ossrh username
OSSRH_PASSWORD=my ossrh password
VERSION=1.0.0
GROUP_ID=com.example
ARTIFACT_ID=project-name
PROJECT_PACKAGING=...
PROJECT_DESCRIPTION=...
PROJECT_URL=...
SCM_URL=...
SCM_CONNECTION=...
LICENSE_NAME=Apache License, Version 2.0
LICENSE_URL=...
ORGANIZATION_NAME=...
ORGANIZATION_URL=...
DEVELOPER_ID=...
DEVELOPER_NAME=...
DEVELOPER_EMAIL=...
如您所料,此处错误的是 PGP 密钥的格式。 useInMemoryPgpKeys 方法需要一个“ascii-armored in-memory PGP secret key”。 gpg --list-secret-keys 仅供人类使用,甚至不显示密钥的“内容”。
您可以使用 gpg --armor --export-secret-keys foobar@example.com 获取正确格式的密钥。使用您自己的密钥 ID(由 gpg --list-secret-keys 返回)或电子邮件地址而不是 foobar@example.com.
要在gradle.properties 文件中使用导出的密钥,您需要转义换行符。例如,您可以像这样为 GPG_SIGNING_KEY 属性 添加一个新的工作行:
gpg --armor --export-secret-keys foobar@example.com \
| awk 'NR == 1 { print "GPG_SIGNING_KEY=" } 1' ORS='\n' \
>> gradle.properties
(有关此处使用的主要 awk 魔法的解释,请参见 this answer。)
根据描述更新您的 gradle.properties 文件(并使用您的构建脚本),我可以使用 ./gradlew signArchives.