apache · rodrigonull · Jul 16, 2024 · Jul 15, 2024 · Jul 16, 2024
diff --git a/.ci/jenkins/Jenkinsfile.zip.sources b/.ci/jenkins/Jenkinsfile.zip.sources
@@ -23,17 +23,16 @@ pipeline {
                 archiveArtifacts artifacts: "**/${SOURCES_FILE_NAME}"
             }
         }
-//        stage('Sign and upload the sources.zip') {
-//            steps {
-//                script {
-//                    // TODO: Uncomment (and adjust) when we have required credentials available
-//                    release.gpgImportKeyFromFileWithPassword(getReleaseGpgSignKeyCredsId(), getReleaseGpgSignPassphraseCredsId())
-//                    release.gpgSignFileDetachedSignatureWithPassword(SOURCES_FILE_NAME, SIGNATURE_FILE_NAME, getReleaseGpgSignPassphraseCredsId())
-//                    release.svnUploadFileToRepository(getReleaseSvnRepository(), getReleaseSvnCredsId(), TARGET_VERSION, SOURCES_FILE_NAME, SIGNATURE_FILE_NAME)
-//                }
-//                archiveArtifacts artifacts: "**/${SIGNATURE_FILE_NAME}"
-//            }
-//        }
+       stage('Sign and upload the sources.zip') {
+           steps {
+               script {
+                   release.gpgImportKeyFromStringWithoutPassword(getReleaseGpgSignKeyCredsId())
+                   release.gpgSignFileDetachedSignatureWithoutPassword(SOURCES_FILE_NAME, SIGNATURE_FILE_NAME)
+                   release.svnUploadFileToRepository(getReleaseSvnRepository(), getReleaseSvnCredsId(), TARGET_VERSION, SOURCES_FILE_NAME, SIGNATURE_FILE_NAME)
+               }
+               archiveArtifacts artifacts: "**/${SIGNATURE_FILE_NAME}"
+           }
+       }
     }
 }
 
@@ -42,14 +41,10 @@ String getReleaseGpgSignKeyCredsId() {
     return env.RELEASE_GPG_SIGN_KEY_CREDS_ID
 }
 
-String getReleaseGpgSignPassphraseCredsId() {
-    return env.RELEASE_GPG_SIGN_PASSPHRASE_CREDS_ID
-}
-
 String getReleaseSvnRepository() {
     return env.RELEASE_SVN_REPOSITORY
 }
 
 String getReleaseSvnCredsId() {
     return env.RELEASE_SVN_CREDS_ID
-}
+}
diff --git a/.ci/jenkins/config/branch.yaml b/.ci/jenkins/config/branch.yaml
@@ -90,8 +90,8 @@ cloud:
 release:
   gpg:
     sign:
-      key-credentials-id: 'asf-release-gpg-signing-key'
-      passphrase-credentials-id: 'asf-release-gpg-signing-key-passphrase'
+      key-credentials-id: 'GPG_KEY'
+      passphrase-credentials-id: ''
   svn:
     staging-repository: <TO-BE-DEFINED>
     credentials-id: <TO-BE-DEFINED>

diff --git a/jenkins-pipeline-shared-libraries/vars/release.groovy b/jenkins-pipeline-shared-libraries/vars/release.groovy
@@ -13,12 +13,29 @@ def gpgImportKeyFromFileWithPassword(String gpgKeyCredentialsId, String gpgKeyPa
     }
 }
 
+def gpgImportKeyFromStringWithoutPassword(String gpgKeyCredentialsId) {
+    withCredentials([string(credentialsId: gpgKeyCredentialsId, variable: 'SIGNING_KEY')]) {
+        // copy the key to singkey.gpg file in *plain text* so we can import it
+        sh """
+            echo "$SIGNING_KEY" > $WORKSPACE/signkey.gpg
+            # Please do not remove list keys command. When gpg is run for the first time, it may initialize some internals.
+            gpg --list-keys
+            gpg --batch --pinentry-mode=loopback --import signkey.gpg
+            rm $WORKSPACE/signkey.gpg
+        """
+    }
+}
+
 def gpgSignFileDetachedSignatureWithPassword(String file, String signatureTarget, String gpgKeyPasswordCredentialsId) {
     withCredentials([string(credentialsId: gpgKeyPasswordCredentialsId, variable: 'SIGNING_KEY_PASSWORD')]) {
         sh "gpg --batch --sign --pinentry-mode=loopback --passphrase \"${SIGNING_KEY_PASSWORD}\" --output ${signatureTarget} --detach-sig ${file}"
     }
 }
 
+def gpgSignFileDetachedSignatureWithoutPassword(String file, String signatureTarget) {
+    sh "gpg --batch --sign --pinentry-mode=loopback --output ${signatureTarget} --detach-sig ${file}"
+}
+
 boolean gpgIsValidDetachedSignature(String file, String signature) {
     return sh(returnStatus: true, script: "gpg --batch --verify ${signature} ${file}") == 0
 }