diff options
author | seahrh <seahrh@gmail.com> | 2019-04-25 15:14:27 +0800 |
---|---|---|
committer | Jakob Odersky <jakob@odersky.com> | 2019-04-25 09:50:40 -0700 |
commit | 42ffe61e65cc3ec230264b1a9f57772bf1bc7c8c (patch) | |
tree | 678ab1958858aaa56b5b2a5412ad107e5765496a | |
parent | 52b272eca2def03a3232662ad77959038b23dfd9 (diff) | |
download | sbt-gpg-42ffe61e65cc3ec230264b1a9f57772bf1bc7c8c.tar.gz sbt-gpg-42ffe61e65cc3ec230264b1a9f57772bf1bc7c8c.tar.bz2 sbt-gpg-42ffe61e65cc3ec230264b1a9f57772bf1bc7c8c.zip |
Fix #10, #11: travis-encrypt, new key without passphrase protection
-rw-r--r-- | README.md | 10 |
1 files changed, 7 insertions, 3 deletions
@@ -93,17 +93,21 @@ It is very common to configure your CI server (Travis or otherwise) to perform t This scheme works well when SBT manages signing key passwords and decryption (as in sbt-pgp). It works quite poorly when securely delegating to `pinentry`, as is the case with this plugin. -The solution is to *not* password-protect the CI signing key and instead encrypt it explicitly using `openssl`. To start with, you should have your CI signing key in your local GPG keyring. Let's assume this key has a signature of `1234ABCD`. Run the following commands within your project root: +The solution is to *not* password-protect the CI signing key and instead encrypt it explicitly using `openssl`. + +To generate a new key without passphrase protection, simply press Enter when prompted for the passphrase and select the option "Continue without passphrase protection". + +Next, you should have your CI signing key in your local GPG keyring. Let's assume this key has an ID of `1234ABCD`. Run the following commands within your project root: ```bash $ gpg --export-secret-keys -a 1234ABCD > key.asc -$ travis encrypt_file key.asc --add +$ travis encrypt-file key.asc --add $ rm key.asc $ git add key.asc.enc $ git commit ``` -Replace `travis encrypt_file` with whatever mechanism is required to securely encrypt files for your CI solution. You may omit the `--add` switch and manually modify your `.travis.yml` if you prefer. Travis' file encryption documentation is [here](https://docs.travis-ci.com/user/encrypting-files/). +Replace [`travis encrypt-file`](https://github.com/travis-ci/travis.rb#encrypt-file) with whatever mechanism is required to securely encrypt files for your CI solution. You may omit the `--add` switch and manually modify your `.travis.yml` if you prefer. Travis' file encryption documentation is [here](https://docs.travis-ci.com/user/encrypting-files/). These steps handle securely materializing a plain-text (*not* password protected!) secret key on your CI server. The only remaining task is to make it available to `gpg` on your CI so that it can be picked up by sbt-gpg. If using Travis, add the following to your `.travis.yml`: |