aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorseahrh <seahrh@gmail.com>2019-04-25 15:14:27 +0800
committerJakob Odersky <jakob@odersky.com>2019-04-25 09:50:40 -0700
commit42ffe61e65cc3ec230264b1a9f57772bf1bc7c8c (patch)
tree678ab1958858aaa56b5b2a5412ad107e5765496a
parent52b272eca2def03a3232662ad77959038b23dfd9 (diff)
downloadsbt-gpg-42ffe61e65cc3ec230264b1a9f57772bf1bc7c8c.tar.gz
sbt-gpg-42ffe61e65cc3ec230264b1a9f57772bf1bc7c8c.tar.bz2
sbt-gpg-42ffe61e65cc3ec230264b1a9f57772bf1bc7c8c.zip
Fix #10, #11: travis-encrypt, new key without passphrase protection
-rw-r--r--README.md10
1 files changed, 7 insertions, 3 deletions
diff --git a/README.md b/README.md
index c2c7428..c416e13 100644
--- a/README.md
+++ b/README.md
@@ -93,17 +93,21 @@ It is very common to configure your CI server (Travis or otherwise) to perform t
This scheme works well when SBT manages signing key passwords and decryption (as in sbt-pgp). It works quite poorly when securely delegating to `pinentry`, as is the case with this plugin.
-The solution is to *not* password-protect the CI signing key and instead encrypt it explicitly using `openssl`. To start with, you should have your CI signing key in your local GPG keyring. Let's assume this key has a signature of `1234ABCD`. Run the following commands within your project root:
+The solution is to *not* password-protect the CI signing key and instead encrypt it explicitly using `openssl`.
+
+To generate a new key without passphrase protection, simply press Enter when prompted for the passphrase and select the option "Continue without passphrase protection".
+
+Next, you should have your CI signing key in your local GPG keyring. Let's assume this key has an ID of `1234ABCD`. Run the following commands within your project root:
```bash
$ gpg --export-secret-keys -a 1234ABCD > key.asc
-$ travis encrypt_file key.asc --add
+$ travis encrypt-file key.asc --add
$ rm key.asc
$ git add key.asc.enc
$ git commit
```
-Replace `travis encrypt_file` with whatever mechanism is required to securely encrypt files for your CI solution. You may omit the `--add` switch and manually modify your `.travis.yml` if you prefer. Travis' file encryption documentation is [here](https://docs.travis-ci.com/user/encrypting-files/).
+Replace [`travis encrypt-file`](https://github.com/travis-ci/travis.rb#encrypt-file) with whatever mechanism is required to securely encrypt files for your CI solution. You may omit the `--add` switch and manually modify your `.travis.yml` if you prefer. Travis' file encryption documentation is [here](https://docs.travis-ci.com/user/encrypting-files/).
These steps handle securely materializing a plain-text (*not* password protected!) secret key on your CI server. The only remaining task is to make it available to `gpg` on your CI so that it can be picked up by sbt-gpg. If using Travis, add the following to your `.travis.yml`: