Error: Failed to remove private key

[bbranan]

Description:

When attempting to deploy to a maven repository following the configuration documentation [1] the deploy action is successful but the action fails consistently on the "Post" step with output:

Post job cleanup.
Removing private key from keychain
Error: Failed to remove private key

The setup-java code where the attempt to remove the key occurs here: https://github.com/actions/setup-java/blob/v2.0.0/src/cleanup-java.ts. Note that the error is swallowed, making it harder to know why the failure is occurring.

[1] https://github.com/actions/setup-java/blob/main/docs/advanced-usage.md#Publishing-using-Apache-Maven

Task version:

actions/setup-java@v2

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Repro steps:
A description with steps to reproduce the issue. If your have a public example or repo to share, please provide the link.

Github actions workflow: https://github.com/duracloud/duracloud-db/blob/4afd1ac05398ff95c6c3ee88734b0bfa2ad2614f/.github/workflows/deploy-snapshot.yml
An example of a failed run: https://github.com/duracloud/duracloud-db/runs/3205773250

Expected behavior:
A description of what you expected to happen.

The GPG key would be removed and the job would complete successfully.

Actual behavior:
A description of what is actually happening.

An error is printed and the step and job are failed.

[dmitry-shibanov]

Hello @bbranan. Sorry for the long reply. Does it still reproduce for you ?

[bbranan]

Hey @dmitry-shibanov, thanks for following up. I was able to resolve the issue by creating and using a new key. It's still not clear what about the old key kept it from being removed in the action, given that it worked for the code signing step. I would still recommend updating the catch() in https://github.com/actions/setup-java/blob/main/src/cleanup-java.ts to print the error being caught, as that may provide additional information about the problem when/if this issue comes up for others.

[bjhargrave]

I also suffer from this problem because my project's GitHub repo has been provisioned with a GPG_PRIVATE_KEY secret which only contains a signing subkey without the primary private key. See https://wiki.debian.org/Subkeys especially the section where it discusses removing the primary private key. The issue then is that when the cleanup for the setup-java action goes to delete the key, the --delete-secret-keys command fails for the fingerprint of the installed GPG_PRIVATE_KEY as there is no secret key with that fingerprint.

Here is some example data showing the issue using a private key I created according to the Debian Subkeys article.

~ gpg --batch --import-options import-show --import subkey.key                                                    
sec#  ed25519 2021-09-13 [SC]
      098A3F32AD9899B69806F5B88D6DB9DBDC161CF2
uid                      BJ Hargrave (Signing Subkey) <bj@hargrave.dev>
ssb   cv25519 2021-09-13 [E]
ssb   ed25519 2021-09-13 [S]

gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 8D6DB9DBDC161CF2: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

The imported key has the fingerprint 098A3F32AD9899B69806F5B88D6DB9DBDC161CF2.

Notice the sec# in the output which indicates the primary private key is not present.

So when cleanup for the setup-java action later attempts to --delete-secret-keys, it fails:

~ gpg --batch --yes --delete-secret-keys 098A3F32AD9899B69806F5B88D6DB9DBDC161CF2
gpg: key "098A3F32AD9899B69806F5B88D6DB9DBDC161CF2" not found
gpg: 098A3F32AD9899B69806F5B88D6DB9DBDC161CF2: delete key failed: Not found

Note that --delete-keys works fine and all the keys are now deleted.

~ gpg --batch --yes --delete-keys 098A3F32AD9899B69806F5B88D6DB9DBDC161CF2 
~ gpg --list-keys                                                                
~ gpg --list-secret-keys        

So the cleanup for the action needs to properly handle deleting a GPG_PRIVATE_KEY which only contains a signing subkey without the primary private key. This could be accomplished by ignoring any error from the --delete-secret-keys command and proceeding to the --delete-keys command.

cc: @mbarbero

[bjhargrave]

Further reading led me to the option --delete-secret-and-public-key which means both the secret key and public keys can be deleted in a single operation.

~ gpg --batch --yes --delete-secret-and-public-key 098A3F32AD9899B69806F5B88D6DB9DBDC161CF2   

[bbranan]

Good catch @bjhargrave! I can confirm that the key I was using initially (that failed) was a subkey. The new key I created (that works) is a primary key. Your explanation makes sense of the failure I was seeing and the reason why the new key would work.

[JarvisCraft]

Having the same issue here: https://github.com/JarvisCraft/padla/runs/3640842927?check_suite_focus=true

While using the following configuration: https://github.com/JarvisCraft/padla/blob/development/.github/workflows/deploy-snapshot.yml

The suggested PR (#226) seems to be the fix for it.

[dmitry-shibanov]

Hello @bbranan @bjhargrave. Thank you for contributions. We appreciate it.
Could you please confirm that everything works as expected for you ? Could you please for testing purpose specify actions/setup-java@v2 -> actions/setup-java@main.

[JarvisCraft]

Hello @bbranan @bjhargrave. Thank you for contributions. We appreciate it. Could you please confirm that everything works as expected for you ? Could you please for testing purpose specify actions/setup-java@v2 -> actions/setup-java@main.

I can confirm that this fix works:
Successful run with main as the version
Previous broken run with v2.3.0 as the version

Now just waiting for the fix to be released under a tag!

[bjhargrave]

Could you please confirm that everything works as expected for you ?

I can confirm that it works for me also. https://github.com/eclipse/transformer/actions/runs/1263929181

[bbranan]

I'm no longer in a good position to test this as my environment has changed since submitting this ticket, but given the success reported by @bjhargrave and @JarvisCraft I can only conclude that this issue has been resolved by the combination of #220 and #226.

[dmitry-shibanov]

Hello everyone. Thank you for all your responses ! We appreciate it. We released new version of the action.
For now I'm closing the issue. If you have any concerns feel free to ping us.

[steventamm]

@dmitry-shibanov I'm still getting this error in salesforce/formula-engine, but I just started using it. Is there a way to get a better error message than this.

Post job cleanup.
Removing private key from keychain
Error: Failed to remove private key due to: The process '/usr/bin/gpg' failed with exit code 2

[dmitry-shibanov]

Hello @steventamm. Actually we add error message to the core.setFailed command in this pull request. I think it is full error message you can get in your case.
Could please provide public repository to reproduce the issue and investigate it deeper ?

[steventamm]

https://github.com/salesforce/formula-engine