[MGPG-112] Upgrading from 3.1.0 to 3.2.0 with no other changes causes "gpg: signing failed: No pinentry"

[jira-importer]

Harald Kuhr opened MGPG-112 and commented

After upgrading to Maven GPG plugin from 3.1.0 to 3.20, the Deploy step of my projects CI failed with the message "gpg: signing failed: No pinentry". 

 

After upgrade to 3.2.0, the deploy step fails the build, while the relevant part of the log says:

 

[INFO] --- maven-gpg-plugin:3.2.0:sign (sign-artifacts) @ twelvemonkeys ---
[INFO] Signer 'gpg' is signing 2 files
gpg: signing failed: No pinentry
gpg: signing failed: No pinentry
...
Error:  Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:3.2.0:sign (sign-artifacts) on project twelvemonkeys: Exit code: 2 -> [Help 1]

 

After reverting to the working 3.1.0, build and deploy succeeds, the relevant part of the log says:

 

[INFO] --- maven-gpg-plugin:3.1.0:sign (sign-artifacts) @ twelvemonkeys ---
[INFO] Signing 2 files with default secret key.
...
[INFO] BUILD SUCCESS

 

Is this an expected/intended behavior with the 3.2.0 release, and does the plugin need additional/different configuration? If this is the case, can you provide suggestions or workarounds to get the signing working again?

As this is a minor version change, I suspect this is a bug/regression and not intended. I don't find anything in the release notes suggesting a configuration change is required.

Plugin configuration (private key and passphrase is passed using GHA secrets):

 

<plugin>
    <groupId>org.apache.maven.plugins</groupId>
    <artifactId>maven-gpg-plugin</artifactId>
    <version>3.1.0</version>  <!-- fails with 3.2.0 -->
    <configuration>
        <!-- Prevent gpg from using pinentry programs -->
        <gpgArguments>
            <arg>--pinentry-mode</arg>
            <arg>loopback</arg>
        </gpgArguments>
    </configuration>
    <executions>
        <execution>
            <id>sign-artifacts</id>
            <phase>verify</phase>
            <goals>
                <goal>sign</goal>
            </goals>
        </execution>
    </executions>
</plugin>

 

Full POM for the build: https://github.com/haraldk/TwelveMonkeys/blob/878d6217d8538f05205c092c7230c8db6727d058/pom.xml

 

Full logs from broken build (Dependabot PR bump 3.1.0 to 3.2.0):

https://github.com/haraldk/TwelveMonkeys/actions/runs/8230467333/job/22504202895

 

Full logs from working build (reverted to 3.1.0): https://github.com/haraldk/TwelveMonkeys/actions/runs/8230663423/job/22504567422

---

Affects: 3.2.0

Remote Links:

• GitHub Pull Request #80
  

[jira-importer]

Tamas Cservenak commented

Thanks for report. So it seems {}there is something fishy after all{}. 

Until we figure what exactly, please see discussion on MGPG-90 for some hints.

[jira-importer]

Tamas Cservenak commented

I think I found it:

maven-gpg-plugin-3.1.0...maven-gpg-plugin-3.2.0#diff-f5003fd6d6c035576748c07804fb03d19ec27f6deed6bde233cce41e48a8037cL62-R137

[jira-importer]

Harald Kuhr commented

Thanks! Great work, both on the plugin in general and locating and resolving the issue quickly! 

I'll try upgrading to 3.2.1 as soon as it's available. But as my setup is very similar to SQLite JDBC (mentioned in MGPG-90), do you recommend switching to the new Bouncy Castle signer for usage in GitHub Actions?

[jira-importer]

Tamas Cservenak commented

In general, yes. I'd recommend this:

• on workstation (like ASF releases are done), using GnuPG is recommended (w/ all your keys being installed in your home)
• on CI-like env I'd really NOT recommend installing private keys, instead, use BC signer and provide key/pass via env variables

[jira-importer]

Harald Kuhr commented

Excellent, thanks! I'll try that!

[jira-importer]

Tamas Cservenak commented

Release 3.2.1 on vote (72h)

[jira-importer]

Marc Nuri commented

I'm currently getting an 401 Unauthorized status code when using the gpg:sign-and-deploy-file goal with the repositoryId, url, pomFile passed in as Maven CLI arguments (-D<flag>).

Credentials should be read from the settings.xml file that GitHub actions/setup-java populates, but aren't.

You can check the setup at https://github.com/fabric8io/kubernetes-client/blob/e7f734bd5922bce0a78e9babbbdfce4d564560bb/.github/workflows/release-snapshots.yaml#L93-L97

Given the context, my impression is that the problem relates to the changes that caused this issue.

Error:  Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:3.2.1:sign-and-deploy-file (default-cli) on project kubernetes-client-project: Error deploying attached artifacts [io.fabric8:kubernetes-client-bom:pom:6.11-SNAPSHOT, io.fabric8:kubernetes-client-bom:pom.asc:6.11-SNAPSHOT]: Failed to deploy artifacts: Could not transfer artifact io.fabric8:kubernetes-client-bom:pom:6.11-20240325.075308-56 from/to ossrh (https://oss.sonatype.org/content/repositories/snapshots/): authentication failed for https://oss.sonatype.org/content/repositories/snapshots/io/fabric8/kubernetes-client-bom/6.11-SNAPSHOT/kubernetes-client-bom-6.11-20240325.075308-56.pom, status: 401 Unauthorized -> [Help 1]

(Might be related to cstamas@0b66b07#diff-57999891695a0f1a4ab38faf1429b160ea8f1c7ce95de9419d5c8e58b60c3f58)

[jira-importer]

Marc Nuri commented

Sorry for the noise, my previous comment was a duplicate report of https://issues.apache.org/jira/browse/MGPG-113