Use GPG private key within GitHub Actions and Setup Java SDK

[BrightRan]

Associated community ticket: https://github.community/t/use-gpg-private-key-within-github-actions-and-setup-java-sdk/127133

The customer is trying to publish his Java package to the Maven Central Repository and GitHub Packages in a GitHub Actions workflow. He is authenticating with the GPG key to publish the package.
He refers to the examples mentioned in "Publishing Java packages with Maven" and the README of the setup-java action to setup the workflow.
But he gets the following errors:

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts) on project ***: Unable to decrypt gpg passphrase: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: java.io.FileNotFoundException: /home/runner/.m2/settings-security.xml (No such file or directory) -> [Help 1]

OR

gpg: signing failed: Inappropriate ioctl for device

[bissim]

According to issue #43 and related PR (#63), @jaredpetersen should be the most qualified person to solve this issue.

[bissim]

As per @AirQuick answer in #43, the problem is to configure Maven GPG plugin by inserting this snippet:

            <configuration>
              <!-- Prevent gpg from using pinentry programs -->
              <gpgArguments>
                <arg>--pinentry-mode</arg>
                <arg>loopback</arg>
              </gpgArguments>
            </configuration>

Again, thank you @BrightRan for your concern, this issue can be closed.

On a side note: @konradpabjan @jaredpetersen please properly document this mandatory configuration.

[jaredpetersen]

I don't think it's setup-java's responsibility to document this. If you're using the GPG signing plugin, you should already know to add this configuration to your POM (just like you should already know that you need to add the maven GPG plugin to your POM).

While it's not in the Maven plugin's README (an oversight on their part), it's the first thing that comes up when you search for maven gpg: signing failed: Inappropriate ioctl for device.

If we add a blurb in about this, there is a risk that the plugin or GPG will be updated to remedy this at some point and our documentation will be out of date. Additionally, this is only needed for certain versions of GPG (2.1+ I believe). I think some of the hosted runners (Windows?) are even on 2.0 so the extra configuration doesn't hurt but is unnecessary. Self-hosted runners are another thing.

[bissim]

Of course I am aware of maven GPG plugin, since I was
following Sonatype guide to release to Central that was written thinking about a manual deploy.

setup-java should instead document this since runners have no tty and gpg wasn't probably designed to work on such systems, hence requiring additional configuration than a manual deploy.

About the result search, you should keep in mind that users like me that are struggling with their first automated package release on Central may not immediately find solutions to their problems: of course, I looked for the gpg error but I made the fatal mistake not to include the 'maven' work in my search key. Therefore, to counter your implicit assumption that I'm an idiot, I reply that I'm just a newbie trying to learn stuff.

What's the problem in adding few lines in README anyway? Should GPG be updated to natively support environment with no tty (and I doubt it will happen) one can swiftly amend README.

[royi-frontegg]

If we're on that matter... I have a similar issue.
After adding the arguments as stated previously, and imported the private key, I ran maven-release-plugin (which in turn runs gpg-plugin) and it fails due to [INFO] gpg: WARNING: unsafe permissions on homedir '/home/runner/.gnupg' [INFO] gpg: cannot open '/dev/tty': No such device or address

I'd love if you could address this issue as well

[yury-s]

I'm still getting the same java.io.FileNotFoundException: /home/runner/.m2/settings-security.xml error even though maven-gpg-plugin has the config mentioned above:

Error:  Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts) on project parent-pom: Unable to decrypt gpg passphrase: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: java.io.FileNotFoundException: /home/runner/.m2/settings-security.xml (No such file or directory) -> [Help 1]

Here is a full log. Do you guys have any clue what may be wrong?

[royi-frontegg]

@yury-s Your config is wrong
gpgPassphrase should be the name of the env var that is going to contain the GPG passphrase
and in the release/deploy stages you need to include that formerly mentioned env var in the env section, and set its value (in your case the secrets.MAVEN_GPG_PASSPHRASE).

This is indeed a confusing way to configure this action

[yury-s]

@royi-frontegg thanks for pointing this out, it works now! I shouldn't have edited that part of the config from the official actions/setup-java example.

[dmitry-shibanov]

Hello, everyone. I'm closing this issue, because documentation was updated in terms of this pull request. If you have any concerns feel free to reopen the issue.
Thanks @bissim @royi-frontegg for help with resolving the issue.

[AirQuick]

            <configuration>
              <!-- Prevent gpg from using pinentry programs -->
              <gpgArguments>
                <arg>--pinentry-mode</arg>
                <arg>loopback</arg>
              </gpgArguments>
            </configuration>

This configuration seems no longer necessary on maven-gpg-plugin 3.0.1. (https://issues.apache.org/jira/browse/MGPG-59)
Just FYI.

[dmitry-shibanov]

Hello @AirQuick. Thank you for the point. We'll think about adding this to documentation.