Skip to content

[FEAT]: 🎉 Add Support for GPG Signing #50

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
adam-grant-hendry opened this issue Oct 23, 2022 · 2 comments · Fixed by #51
Closed

[FEAT]: 🎉 Add Support for GPG Signing #50

adam-grant-hendry opened this issue Oct 23, 2022 · 2 comments · Fixed by #51

Comments

@adam-grant-hendry
Copy link
Contributor

Currently, this action doesn't support gpg signing commits and tags. This could be added simply by modifying the entrypoint.sh script to accept a gpg passphrase and key that have been added as SECRETS to the repo.
@adam-grant-hendry adam-grant-hendry mentioned this issue Oct 24, 2022
Merged
@adam-grant-hendry
Copy link
Contributor Author

See commitizen Discussions #616. commitizen-action builds and runs inside a Docker container, which prevents using actions like import-gpg since that runs and sets up gpg in the local runner.

One of the two will have to be performed:

  1. Find a way to run a GitHub Action like import-gpg within the built Docker container
  2. Amend our entrypoint.sh script with code like in action-gpg

Currently, using import-gpg and copy-pasting and running entrypoint.sh directly in a GitHub workflow works (slightly modified, of course).

I found action-gpg to have a couple problems (firstly, this), but it could probably work with the right tweaking.

import-gpg uses TypeScript, which I am only vaguely familiar with at this point, so I'm not able to convert it into a shell script.

@woile woile closed this as completed in #51 Jan 7, 2023
woile pushed a commit that referenced this issue Jan 7, 2023
@adam-grant-hendry
feat(entrypoing.sh): add gpg sign
8eb5841 
fix: check_consistency beign ignored

* feat(action.yml): add `gpg` inputs

Add input for GPG key and passphrase and whether or not to sign.

* feat(entrypoing.sh): add `gpg` sign

Add `-s` to `bump` command if `gpg_sign` is 'true'.

* fix(entrypoint.sh): set git config

Set `gpg.program`, `commit.gpgsign`, and `tag.gpgsign`.

* fix(gpg): add `signingkey`

Git requires `signingkey` to sign commits and tags.

feat(debug): add option for debug output

* fix(signingkey): specify UID

Git takes the UID for the signing key, not the key itself.

* fix(entrypoint.sh): add `gpg.program`

Add `gpg.program` to Git config.

* feat(entrypoint.sh): write `gpg` script

Use bash script to configure the GPG agent, import keys, set the
passphrase, and configure Git.

* fix(entrypoint.sh): replace `systemctl`

Use `service` as `systemctl` is not on GitHub Actions runners.

* fix(entrypoint.sh): remove `sudo`

* Revert "fix(entrypoint.sh): replace `systemctl`"

This reverts commit 2cf68aa.

* Revert "feat(entrypoint.sh): write `gpg` script"

This reverts commit a1c8571.

* Revert "fix(entrypoint.sh): add `gpg.program`"

This reverts commit 94d316f.

* fix(entrypoint.sh): remove signing commits

Only sign tags. It may be that `commitizen` only supports signing tags.

See: commitizen-tools/commitizen#616

* fix(entrypoint.sh): remove signing configs

Remove `tag.gpgsign` and `commit.gpgsign` from local Git config.

* fix(entrypoint.sh): remove `--gpg-sign`

See if Git will sign for us instead of through `cz`.

* fix(entrypoint.sh): add `commit.gpgsign`

Remove specifying `gpg.program` and add `commit.gpgsign` back.

* fix(entrypoint.sh): add `gpg-sign` back

Add `--gpg-sign` back to `commitizen`.

* fix(entrypoint.sh): move `--gpg-sign` after bump

Switch `--gpg-sign` applies to `bump` subcommand.

* fix(entrypoint.sh): move `--debug`

Move `--debug` switch to after `bump` command.

* Revert "fix(entrypoint.sh): move `--debug`"

This reverts commit e543aff.

* fix(entrypoint.sh): add `commit.gpgsign`

* ci(test): add `gpg -K` to stdout

* ci(test): more printouts

* ci(test): even more printouts

* ci(test): print which `gpg` is running

* ci(test): let `import-gpg` setup `gpg`

* ci(test): print `gpg --version`

* feat(ci): run in docker container

* Revert "feat(ci): run in docker container"

This reverts commit 3b2cae5.

Closes: #50

Closes: #53 
Co-authored-by: Hendry, Adam <adam.hendry@metronic.com>
woile pushed a commit that referenced this issue Jan 7, 2023
@adam-grant-hendry @woile
feat(entrypoing.sh): add gpg sign
35d0a04 
fix: check_consistency beign ignored

Add input for GPG key and passphrase and whether or not to sign.

Add `-s` to `bump` command if `gpg_sign` is 'true'.

Set `gpg.program`, `commit.gpgsign`, and `tag.gpgsign`.

Git requires `signingkey` to sign commits and tags.

feat(debug): add option for debug output

Git takes the UID for the signing key, not the key itself.

Add `gpg.program` to Git config.

Use bash script to configure the GPG agent, import keys, set the
passphrase, and configure Git.

Use `service` as `systemctl` is not on GitHub Actions runners.

This reverts commit 2cf68aa.

This reverts commit a1c8571.

This reverts commit 94d316f.

Only sign tags. It may be that `commitizen` only supports signing tags.

See: commitizen-tools/commitizen#616

Remove `tag.gpgsign` and `commit.gpgsign` from local Git config.

See if Git will sign for us instead of through `cz`.

Remove specifying `gpg.program` and add `commit.gpgsign` back.

Add `--gpg-sign` back to `commitizen`.

Switch `--gpg-sign` applies to `bump` subcommand.

Move `--debug` switch to after `bump` command.

This reverts commit e543aff.

This reverts commit 3b2cae5.

Closes: #50

Closes: #53

Co-authored-by: Hendry, Adam <adam.hendry@metronic.com>
woile pushed a commit that referenced this issue Jan 7, 2023
@adam-grant-hendry @woile
feat(entrypoing.sh): add gpg sign
4f2ea33 
fix: check_consistency flag being ignored

Add input for GPG key and passphrase and whether or not to sign.

Add `-s` to `bump` command if `gpg_sign` is 'true'.

Set `gpg.program`, `commit.gpgsign`, and `tag.gpgsign`.

Git requires `signingkey` to sign commits and tags.

feat(debug): add option for debug output

Git takes the UID for the signing key, not the key itself.

Add `gpg.program` to Git config.

Use bash script to configure the GPG agent, import keys, set the
passphrase, and configure Git.

Use `service` as `systemctl` is not on GitHub Actions runners.

This reverts commit 2cf68aa.

This reverts commit a1c8571.

This reverts commit 94d316f.

Only sign tags. It may be that `commitizen` only supports signing tags.

See: commitizen-tools/commitizen#616

Remove `tag.gpgsign` and `commit.gpgsign` from local Git config.

See if Git will sign for us instead of through `cz`.

Remove specifying `gpg.program` and add `commit.gpgsign` back.

Add `--gpg-sign` back to `commitizen`.

Switch `--gpg-sign` applies to `bump` subcommand.

Move `--debug` switch to after `bump` command.

This reverts commit e543aff.

This reverts commit 3b2cae5.

Closes: #50

Closes: #53

Co-authored-by: Hendry, Adam <adam.hendry@metronic.com>
@brazarb brazarb mentioned this issue Jun 28, 2023
Open
@suasuasuasuasua
Copy link

Hey! I had a question about the workarounds. I have a workflow pretty similar to #72 using crazy-max/ghaction-import-gpg@v6. I'm getting an error where there isn't a secret key found by GPG. I used the name and email output from the import-gpg step, so they are definitely matching.

gpg (GnuPG) 2.4.7
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /github/home/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
git version 2.47.1
Configuring Git username, email, and pull behavior...
Git name: github-actions[bot]
Git email: github-actions@users.noreply.github.com
pip install commitizen
...
Commitizen version: 4.1.0
cz --debug --no-raise 21 bump --yes --gpg-sign --changelog --git-output-to-stderr --changelog-to-stdout >body.md
bump: version 0.1.1 → 0.1.2
tag to create: 0.1.2
increment detected: PATCH
[main b66d848] bump: version 0.1.1 → 0.1.2
 2 files changed, 7 insertions(+), 1 deletion(-)
error: gpg failed to sign the data:
gpg: directory '/github/home/.gnupg' created
gpg: skipped "github-actions[bot] <github-actions@users.noreply.github.com>": No secret key
[GNUPG:] INV_SGNR 9 github-actions[bot] <github-actions@users.noreply.github.com>
[GNUPG:] FAILURE sign 17
gpg: signing failed: No secret key
error: unable to sign the tag
The tag message has been left in .git/TAG_EDITMSG
Traceback (most recent call last):
  File "/usr/local/bin/cz", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.10/site-packages/commitizen/cli.py", line 651, in main
    args.func(conf, arguments)()
  File "/usr/local/lib/python3.10/site-packages/commitizen/commands/bump.py", line 400, in __call__
    raise BumpTagFailedError(c.err)
commitizen.exceptions.BumpTagFailedError: error: gpg failed to sign the data:
gpg: directory '/github/home/.gnupg' created
gpg: skipped "github-actions[bot] <github-actions@users.noreply.github.com>": No secret key
[GNUPG:] INV_SGNR 9 github-actions[bot] <github-actions@users.noreply.github.com>
[GNUPG:] FAILURE sign 17
gpg: signing failed: No secret key
error: unable to sign the tag
The tag message has been left in .git/TAG_EDITMSG

Could you explain the workaround?

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add GPG Signing Support adam-grant-hendry/commitizen-action
2 participants
@adam-grant-hendry @suasuasuasuasua