Merge pull request #53 from adangel/gpg-configuration

Rework gpg configuration

.github/workflows/build.yml

@@ -55,4 +55,6 @@ jobs:
       shell: bash
       env:
         PMD_CI_SECRET_PASSPHRASE: ${{ secrets.PMD_CI_SECRET_PASSPHRASE }}
+        PMD_CI_GPG_PRIVATE_KEY: ${{ secrets.PMD_CI_GPG_PRIVATE_KEY }}
+        MAVEN_GPG_PASSPHRASE: ${{ secrets.PMD_CI_GPG_PASSPHRASE }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -243,12 +243,15 @@ Used global vars:
 *   PMD_CI_SECRET_PASSPHRASE: This is provided as a github secret
     (`PMD_CI_SECRET_PASSPHRASE: ${{ secrets.PMD_CI_SECRET_PASSPHRASE }}`) in github actions workflow.
     It is used to decrypt further secrets used by other scripts (github releases api, ...)
+*   PMD_CI_GPG_PRIVATE_KEY: The exported private key used for release signing, provided as a secret
+    (`PMD_CI_GPG_PRIVATE_KEY: ${{ secrets.PMD_CI_GPG_PRIVATE_KEY }}`) in github actions workflow.
 
 Test with:
 
 ```
 bash -c 'set -e; \
          export PMD_CI_SECRET_PASSPHRASE=.... ; \
+         export PMD_CI_GPG_PRIVATE_KEY=.... ; \
          export PMD_CI_DEBUG=false ; \
          source inc/setup-secrets.bash ; \
          pmd_ci_setup_secrets_private_env ; \
@@ -456,12 +459,6 @@ export PMD_CI_SECRET_PASSPHRASE=...
 export CI_DEPLOY_USERNAME=...
 export CI_DEPLOY_PASSWORD=...
 
-# CI_SIGN_KEYNAME - GPG key used to sign the release jars before uploading to maven central
-# CI_SIGN_PASSPHRASE
-# the passphrase is also used for the keystore password in pmd-eclipse-plugin for JAR signing.
-export CI_SIGN_KEYNAME=...
-export CI_SIGN_PASSPHRASE=...
-
 export PMD_SF_USER=...
 # https://sourceforge.net/p/forge/documentation/Using%20the%20Release%20API/
 export PMD_SF_APIKEY=...
@@ -485,57 +482,6 @@ export GEM_HOST_API_KEY=...
 export PMD_CI_CHUNK_TOKEN=...
 ```
 
-### release-signing-key-D0BF1D737C9A1C22.asc
-
-Export the private key as "release-signing-key-D0BF1D737C9A1C22" and encrypt it with PMD_CI_SECRET_PASSPHRASE:
-
-```
-printenv PMD_CI_SECRET_PASSPHRASE | gpg --symmetric --cipher-algo AES256 --batch --armor \
-  --passphrase-fd 0 \
-  release-signing-key-D0BF1D737C9A1C22
-```
-
-The public key is available here:
-* <https://keys.openpgp.org/search?q=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22>
-* <https://keyserver.ubuntu.com/pks/lookup?search=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22&fingerprint=on&op=index>
-* <http://pgp.mit.edu/pks/lookup?search=0xD0BF1D737C9A1C22&fingerprint=on&op=index>
-
-And in the file `release-signing-key-D0BF1D737C9A1C22-public.asc`.
-
-**Updating the key:**
-
-From time to time the key needs to be renewed. Import the private and public key into your local gpg keystore
-and renew it. Make sure to renew all subkeys. Then export it again.
-
-*Note:* The private key is additionally secured by a passphrase - see "CI_SIGN_PASSPHRASE".
-
-You can verify the expiration date with `gpg --fingerprint --list-sigs D0BF1D737C9A1C22`:
-
-```
-pub   rsa4096 2019-12-16 [SC] [expires: 2025-12-31]
-      EBB2 41A5 45CB 17C8 7FAC  B2EB D0BF 1D73 7C9A 1C22
-uid           [ultimate] PMD Release Signing Key <[email protected]>
-sig 3        D0BF1D737C9A1C22 2024-11-22  PMD Release Signing Key <[email protected]>
-sig 3        93450DF2DF9A3FA3 2019-12-16  Andreas Dangel <[email protected]>
-sig 3        D0BF1D737C9A1C22 2019-12-16  PMD Release Signing Key <[email protected]>
-sig 3        D0BF1D737C9A1C22 2020-11-02  PMD Release Signing Key <[email protected]>
-sub   rsa4096 2019-12-16 [E] [expires: 2025-12-31]
-sig          D0BF1D737C9A1C22 2024-11-22  PMD Release Signing Key <[email protected]>
-```
-
-Upload the exported *public* key to
-
-* <https://keys.openpgp.org/upload>
-* <https://keyserver.ubuntu.com/#submitKey>
-* <http://pgp.mit.edu/>
-
-Verify the uploaded key expiration date:
-
-`gpg --show-keys release-signing-key-D0BF1D737C9A1C22-public.asc`
-`curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22' | gpg --show-keys`
-`curl 'https://keyserver.ubuntu.com/pks/lookup?search=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22&fingerprint=on&exact=on&options=mr&op=get' | gpg --show-keys`
-`curl 'http://pgp.mit.edu/pks/lookup?op=get&search=0xD0BF1D737C9A1C22' | gpg --show-keys`
-
 ### pmd.github.io_deploy_key.asc
 
 Created with `ssh-keygen -t ed25519 -C "ssh key for pmd. used for github actions to push to pmd.github.io" -f pmd.github.io_deploy_key`.
@@ -610,12 +556,8 @@ Note: The same key is used to push to "git.code.sf.net" as user "PMD_SF_USER".
 
 ### maven-settings.xml
 
-The maven-settings.xml file contains a profile `sign`, which brings in the configuration for
-`maven-gpg-plugin` to sign the artifacts prior to uploading it to maven central. The configuration
-comes in via environment variables: `CI_SIGN_KEYNAME` and `CI_SIGN_PASSPHRASE`.
-
-It also contains the credentials for uploading the artifacts to maven-central for the server `ossrh`. Again,
-the actual configuration comes in via environment variables: `CI_DEPLOY_USERNAME` and `CI_DEPLOY_PASSWORD`.
+It contains the credentials for uploading the artifacts to maven-central for the server `ossrh`.
+The actual configuration comes in via environment variables: `CI_DEPLOY_USERNAME` and `CI_DEPLOY_PASSWORD`.
 
 ## Testing
 
@@ -671,6 +613,90 @@ you would need to manually publish the staging repo. See also the section below
 
 ## Miscellaneous
 
+### Release Signing Keys
+
+For signing the artifacts, that are published in Maven Central, we use GPG. The key fingerprint
+is `EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22`:
+
+```
+pub   rsa4096/D0BF1D737C9A1C22 2019-12-16 [SC] [expires: 2025-12-31]
+      EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22
+uid                 [ultimate] PMD Release Signing Key <[email protected]>
+sub   rsa4096/1DAA314BF520D0A8 2019-12-16 [E] [expires: 2025-12-31]
+```
+
+The public key is available here:
+* <https://keys.openpgp.org/search?q=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22>
+* <https://keyserver.ubuntu.com/pks/lookup?search=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22&fingerprint=on&op=index>
+* <http://pgp.mit.edu/pks/lookup?search=0xD0BF1D737C9A1C22&fingerprint=on&op=index>
+
+And in the file `release-signing-key-D0BF1D737C9A1C22-public.asc`.
+
+**Private key:**
+
+The corresponding private key is configured as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)
+for GitHub Action on the organization level. This means, the secret is available for all repositories.
+The secret name is `PMD_CI_GPG_PRIVATE_KEY`.
+
+For setting up, export the secret key and copy-paste it into a new secret:
+
+```
+gpg --armor --export-secret-key EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22 | wl-copy
+```
+
+(instead of wl-copy, use xclip or pbcopy, depending on your os).
+
+This private key will be imported by the script `setup-secrets.bash`.
+
+Note 1: In order to use the key later on, the passphrase is needed. This is also setup as a secret:
+`PMD_CI_GPG_PASSPHRASE`. This secret is then exported as "MAVEN_GPG_PASSPHRASE" where needed
+(`MAVEN_GPG_PASSPHRASE: ${{ secrets.PMD_CI_GPG_PASSPHRASE }}`) in github actions workflows.
+See also <https://maven.apache.org/plugins/maven-gpg-plugin/usage.html#sign-artifacts-with-gnupg>.
+
+
+Note 2: The private key is now only secured by the passphrase. It is stored as a GitHub Actions
+secret and temporarily written to a file in order to import it. It is not anymore committed in
+this build-tools repository and is therefore not encrypted with another key (e.g. PMD_CI_SECRET_PASSPHRASE). 
+
+**Updating the key:**
+
+From time to time the key needs to be renewed, passphrase needs to be changed or a whole key needs to
+be replaced.
+
+For renewing or changing the passphrase, import the private and public key into your local gpg keystore
+and renew it. Make sure to renew all subkeys. Then export it again.
+
+For replacing, generate a new key, just export it.
+
+You can verify the expiration date with `gpg --fingerprint --list-sigs D0BF1D737C9A1C22`:
+
+```
+pub   rsa4096 2019-12-16 [SC] [expires: 2025-12-31]
+      EBB2 41A5 45CB 17C8 7FAC  B2EB D0BF 1D73 7C9A 1C22
+uid           [ultimate] PMD Release Signing Key <[email protected]>
+sig 3        D0BF1D737C9A1C22 2024-11-22  PMD Release Signing Key <[email protected]>
+sig 3        93450DF2DF9A3FA3 2019-12-16  Andreas Dangel <[email protected]>
+sig 3        D0BF1D737C9A1C22 2019-12-16  PMD Release Signing Key <[email protected]>
+sig 3        D0BF1D737C9A1C22 2020-11-02  PMD Release Signing Key <[email protected]>
+sub   rsa4096 2019-12-16 [E] [expires: 2025-12-31]
+sig          D0BF1D737C9A1C22 2024-11-22  PMD Release Signing Key <[email protected]>
+```
+
+Upload the exported *public* key to
+
+* <https://keys.openpgp.org/upload>
+* <https://keyserver.ubuntu.com/#submitKey>
+* <http://pgp.mit.edu/>
+
+Verify the uploaded key expiration date:
+
+`gpg --show-keys release-signing-key-D0BF1D737C9A1C22-public.asc`
+`curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22' | gpg --show-keys`
+`curl 'https://keyserver.ubuntu.com/pks/lookup?search=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22&fingerprint=on&exact=on&options=mr&op=get' | gpg --show-keys`
+`curl 'http://pgp.mit.edu/pks/lookup?op=get&search=0xD0BF1D737C9A1C22' | gpg --show-keys`
+
+Don't forget to update the secret `PMD_CI_GPG_PRIVATE_KEY` with the renewed private key.
+
 ### Nexus Staging Maven Plugin
 
 See <https://github.com/sonatype/nexus-maven-plugins/tree/master/staging/maven-plugin>.

pom.xml

@@ -314,6 +314,9 @@
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-gpg-plugin</artifactId>
                         <version>3.2.7</version>
+                        <configuration>
+                            <bestPractices>true</bestPractices>
+                        </configuration>
                         <executions>
                             <execution>
                                 <id>sign-artifacts</id>

scripts/files/maven-settings.xml

@@ -18,14 +18,6 @@
   </servers>
   <mirrors/>
   <proxies/>
-  <profiles>
-    <profile>
-      <id>sign</id>
-      <properties>
-        <gpg.keyname>${env.CI_SIGN_KEYNAME}</gpg.keyname>
-        <gpg.passphrase>${env.CI_SIGN_PASSPHRASE}</gpg.passphrase>
-      </properties>
-    </profile>
-  </profiles>
+  <profiles/>
   <activeProfiles/>
 </settings>

scripts/files/private-env.asc

@@ -1,27 +1,24 @@
 -----BEGIN PGP MESSAGE-----
 
-jA0ECQMCgVuYgIIBDf3/0uoBmhLe1KXWqRzf//ULiAUtSM3IBBVWr7qAube7aocf
-DWASvt8Fs9Au2Yy1FzjFvHGxdJ4H46m1IosMoZW5j9G86Q8Lik+1BkgeDh7yyw5u
-AJy+8rqfw8hvDjSUJdyx1a1EB47d2DypIXZldeDy/0K8Q+E+CJAKyU2r3sErcT/P
-2n/Q0HZfZQMugaRInCAAqqFkbmLWOAu16CDz7qy5uf/NjrvZPxRp/e2IDaVxDVJf
-UHk+8dOW6IxinLXMRV8G37RUUl4n3ZFbzI1HLD4TVMMEpQeuY19vlgRWzrshzhfM
-DskqWgIvhzOfKWhgbp0Y1GDBQCmOVcJTjv7EKsqr4HANqtOi9RmN/fWyloWizewA
-nvkSjhNvKQ4mpqbzemwV4q1eQHXtrw8bT36cSBEMeWXPCHDayyO8CfbF4Zj3zFG6
-iu0DUVZtxQMGHAGzIuG8v45MuYP6AKXlaJJz9JNNl1p3Tc7C2zvAv0yTTvdXWUC+
-0zMgNju89cfQjBZnLDSblgwSlar/Cqw9Os4A9f4mFxqUUEnGFj2LuUPL4G1xfPIs
-AiVvMkGZPRpFTlSk5jSop2Dw92SXhDjHhorYneSsUbLjZ9o6t9f2FTk8yHBCdjPQ
-v8fEPY2Xf5TRP3XyIRqj8QB5TN8ZhThCQ5U/7ouJsqR7wOltKp6QQrM+h6jaKefI
-VSolOgFsEiUIhrVPVNcSBRtlmf5JoXo4dGHXtZKUH7FwBzggcZGoIhFaSoqWnYwW
-1Jov4TvkkdluQliSaxPewAcAAVGEekdcisXr3ugcHoweuDQpqpd9vb7w3S3+m2Kg
-W9OzWhKIZadYv2a/5l3QQjw7LOqIbuRmBvmwDciLTETkZSb8l39DkmZ2OsEQr8xX
-aEAY3R/uFNVv5c/WGXJh/+extSYC6mFpWXCE0lda8jwSImJlHtwxiM3o4zxqJO6D
-LUysGUfis170uUaBDv+vJMhWyICutSWCAbGg0Qml5/zdok/kZ5A7zHb510dJRK7q
-ZHCNvD5qww7eOK5qT+98kLK/2BY7m4t2mv32xvoz1N+a1CRbMBfvrgFNpC0WIbjc
-WA/vYQPzz/EUOLkGokk0iNrkOVBOTzcX1bLOY68dPEnudrQE0+gRzMAOz2kkP6kd
-2p5xmmDukM2p9+5f1M6HjpGTHHcu+ARrAviQ0KV6fjCnF/A59ceRU6EwHBmjTu6t
-GUVL1nu0K5SsYYCMa/FNL8x+hJbGmRri9CUGjE/mgxqPejE2DaQRs7TnJ4uoIKZR
-fi1JYFN3AYwKYimpg23VfoTpn+hOwxQDRnT6wHS4qWAEgmQTimZDJaE+TbLhzVZn
-XRPpvzXmUYSmuJpKhlScCTP383eN3K8fu4oJl6csE8qbOYoIjBWRt0F4rkHfwkq5
-Si8GGdIJCcnactW/zd//WemtiC+2FVK5Hx88KQFV1WlDoeMkXBQcxP6EQA==
-=5elG
+jA0ECQMC1rX2OnC4kM3/0ukB8X+sMFob8hUO32BTsp9Hxgrbwx4oi+IQtW0mtHDq
+cDAxnRMliqdNqNJL9BUK3WyMCAyLdrP2tA1HOdxLzdLoF+2HgClZqUYZ2CKKCSnr
+ALykv+MJ1A3rgNJ786IcpaWLSsrVVj8tBrCB3cVVIhN4nJJ4Z6hHpHk8KILbxAXD
+kIIEYIAfHHgoCuHvtn2m/iIGOjsZuDwY5hI0zZk+D+IVekGBnIP7v/aBdw2odKiY
+c0BnPdBZtgKBz7I0QpUPg0cNaAE0pfgL58smFmRANUFRDn7TdKv7OL+jEAx9Ya6l
+1iwDojHSF+8FtKWw08272wmcGcsFefQ1DiceTf/pEKiC2zaUpzWlSPTVyV8/MVq7
+Qi085NO2GigaorUpfJT1QPqGVM7fHof5Y+5AqRqPXsZGXyVQi4FUlFSY1hYPp5Hx
+vL5Ts7poNjh8Zgy6Llgfx3ErzhO0kuVbaSlJKZeCkTZB+21Bgl6VDFDqPi/Dv+gd
+5mOClpzE44aayHLbg/BbyCdaj1rMi8OZbxEJmqtvVidGl05HmxAaRhxY9/bbpVkq
+z8kz/gg4bPeiiKA3rg3G10Lwj9UwaPsAAppn2pQU3CGvjOSBfPV60HunRPsPwVdj
+25M38FbCDw734VVKm796cIqu+DUEXIH2nTjJ0gkvc11PTxGOs93DjOEJizgzeNw5
+R8Dm25J9OjjWv4Yjos1H22VAa2YUj6MO8exx5v+rUfHBf6Mk1c0Y67K1E8p3pq7/
+8wnkBKvH+TlTos315mZyXZ5jMwGQYJbY4JW7ukiHDNmN5Xmm/pZkBa/GId+hLmhV
+uP0285H0VMDzsQRIVpDPuoguae2Yvm4AHQxYQGjxCmcU5e4AIipYkSYwsQYMZb5/
+oQPXBnL4N3yxtV5/pl3KGHaLKioE1LXuBooOAsk8/Pc2nBxI6tXjjZ3IgI2Rf0kR
+qU8dzrMC1PGPm48l+jQaj2AQN86p9P1UN1bwUUO7tVx4lk/7CTLvDG72hx8TxHtg
+EjGtoT7rXdMypbcwIAWYqr2GD49Ig1naefl3NvXwpFwJekw9H3c6lxQv4D9H+ZY0
+8G2iAQik2ztcFEm5X70vR+RSstjKsvv+Vub6fQHSFJ06RQi8NRUcq2ctJZByJdbs
+hb+6f4ezx+ahwC3W+vYrLGAbePU2KN4vOO3V7nfWR0tpXVBwflkHJfSc4GIu0wf4
+ggXMeWxS37tPdvhsdFCAvv8wuyynEVOzF9U4WgH79hg9KSLJpQhp0qQ=
+=BdYe
 -----END PGP MESSAGE-----