Use GPG private key within GitHub Actions and Setup Java SDK

Hello,
I’m trying to deploy my project over Nexus by defining a workflow on GitHub; I already managed to deploy over GitHub Packages with not too much effort.
However, Nexus requires release artifacts to be signed with a private key in order to be distributed.
I tried to add both my key and its passphrase as secrets to my repository but with no avail: during build process, maven errors with

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:1.6:sign (sign-artifacts) on project ***: Unable to decrypt gpg passphrase: org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException: java.io.FileNotFoundException: /home/runner/.m2/settings-security.xml (No such file or directory) -> [Help 1]

I’m not sure about non-existing settings-security.xml, since I’m using the Setup Java JDK action and there is no mention of such a file in Maven GPG plugin configuration; looks like this mechanism takes place, however I have no idea how to deal with it in GitHub Actions.

Moreover, since I use two Setup Java SDK actions within my workflow, I have the problem of the clean-up for the second one: since the first one already deletes my private key, the second one fails in doing this and errors the whole workflow.

So, my questions are:

  • How do I properly set artifact signing with Setup Java JDK action?
  • How do I avoid failing of two subsequent cleanup for the same kind actions?

For reference, here is workflow for my project.

@bissim,

About your two questions:

  1. How do I properly set artifact signing with Setup Java JDK action?

    The ‘settings-security.xml’ file contains the master password used to encrypt remote repository credentials. The default location of this file is ‘~<user_home>/.m2/settings-security.xml’.

    Normally, if this file does not exist, or if it does not contain valid content, the ‘mvn --encrypt-password’ command line will fail with the error like:

    [ERROR] java.io.FileNotFoundException: ~<user_home>/.m2/settings-security.xml (No such file or directory)
    

    In this situation, you may need to create this file by yourself, then copy and paste the encrypted master password (output of the command line ‘mvn --encrypt-master-password’) into the file.

    If you do not store the ‘settings-security.xml’ file in the directory ‘~<user_home>/.m2’, for example in your project repository directory, you can try to use the following command line to refer to this file:

    mvn -Dsettings.security=path/to/settings-security.xml
    
  2. How do I avoid failing of two subsequent cleanup for the same kind actions?

    You can try to divide the current job to two jobs in your workflow. One is for “Publish GitHub Packages Apache Maven”, another is for “Publish to Apache Maven Central”.
    In this way, the Setup Java JDK action is running in different jobs on different runner machines, they will not have any effect or conflict on each other.

Hello @brightran,
Thank you for your answer.

About number 2, it makes sense: I was avoiding to use multiple jobs in order not to duplicate steps because of two different runners; I think there’s no other way to fix that problem.

About number 1, I wonder whether there’s a way to create a working settings-security.xml file remotely: I guess that prepending a step with mvn --encrypt-master-password command won’t solve the problem, also because it prompts for a password. This is really a problem: I cannot interact with runners, unless I make use of some really bash commands.

Edit: by the way, why isn’t this problem documented into ‘Publishing Java projects with Maven’ documentation?

Edit2: can’t I just disable password encryption mechanism? In the first place, I don’t need such a level of security, since I’m using a disposable runner and passwords aren’t even encrypted in generated settings.xml file.

Edit3: I managed to get rid of the error about settings-security.xml by passing server username and password and GPG key passphrase as environment variables rather than directly to Setup Java configuration, like shown in Setup Java README. The error I’m getting now is

gpg: signing failed: Inappropriate ioctl for device

that cannot be fixed by export GPG_TTY=$(tty).
So, does anyone know how to fix this issue?

@bissim,

In the docs “Publishing Java packages with Maven”, it seems only mentions using passwrod (personal access token) to authenticate, not mentions using GPG keys. And looks like, all the authentication information will be stored into the automatically generated settings.xml.
Not sure why the settings-security.xml will be involved.

I have created an issue ticket (actions/setup-java#91) to help you report the questions to the appropriate engineering team for further investigation and evaluation.
You can follow this issue ticket and add your comments on it.

@brightran,
Again, thank you for your concern.

As stated in the issue you kindly opened on actions-setup-java repository, thanks to @airquick intervention on issue 43 which I previously commented, the solution for the ioctl issue is to add a configuration section to Maven GPG plugin in project POM:

            <configuration>
              <!-- Prevent gpg from using pinentry programs -->
              <gpgArguments>
                <arg>--pinentry-mode</arg>
                <arg>loopback</arg>
              </gpgArguments>
            </configuration>

Along with first brightran answer to this thread, this closes my request for support.