Skip to content

[FEAT]: 🎉 Add Support for GPG Signing #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
adam-grant-hendry opened this issue Oct 23, 2022 · 2 comments · Fixed by #51
Closed

[FEAT]: 🎉 Add Support for GPG Signing #50

adam-grant-hendry opened this issue Oct 23, 2022 · 2 comments · Fixed by #51

Comments

@adam-grant-hendry
Copy link
Contributor

Currently, this action doesn't support gpg signing commits and tags. This could be added simply by modifying the entrypoint.sh script to accept a gpg passphrase and key that have been added as SECRETS to the repo.
@adam-grant-hendry adam-grant-hendry mentioned this issue Oct 24, 2022
Merged
@adam-grant-hendry
Copy link
Contributor Author

See commitizen Discussions #616. commitizen-action builds and runs inside a Docker container, which prevents using actions like import-gpg since that runs and sets up gpg in the local runner.

One of the two will have to be performed:

  1. Find a way to run a GitHub Action like import-gpg within the built Docker container
  2. Amend our entrypoint.sh script with code like in action-gpg

Currently, using import-gpg and copy-pasting and running entrypoint.sh directly in a GitHub workflow works (slightly modified, of course).

I found action-gpg to have a couple problems (firstly, this), but it could probably work with the right tweaking.

import-gpg uses TypeScript, which I am only vaguely familiar with at this point, so I'm not able to convert it into a shell script.

@woile woile closed this as completed in #51 Jan 7, 2023
woile pushed a commit that referenced this issue Jan 7, 2023
@adam-grant-hendry
feat(entrypoing.sh): add gpg sign
8eb5841 
fix: check_consistency beign ignored

* feat(action.yml): add `gpg` inputs

Add input for GPG key and passphrase and whether or not to sign.

* feat(entrypoing.sh): add `gpg` sign

Add `-s` to `bump` command if `gpg_sign` is 'true'.

* fix(entrypoint.sh): set git config

Set `gpg.program`, `commit.gpgsign`, and `tag.gpgsign`.

* fix(gpg): add `signingkey`

Git requires `signingkey` to sign commits and tags.

feat(debug): add option for debug output

* fix(signingkey): specify UID

Git takes the UID for the signing key, not the key itself.

* fix(entrypoint.sh): add `gpg.program`

Add `gpg.program` to Git config.

* feat(entrypoint.sh): write `gpg` script

Use bash script to configure the GPG agent, import keys, set the
passphrase, and configure Git.

* fix(entrypoint.sh): replace `systemctl`

Use `service` as `systemctl` is not on GitHub Actions runners.

* fix(entrypoint.sh): remove `sudo`

* Revert "fix(entrypoint.sh): replace `systemctl`"

This reverts commit 2cf68aa.

* Revert "feat(entrypoint.sh): write `gpg` script"

This reverts commit a1c8571.

* Revert "fix(entrypoint.sh): add `gpg.program`"

This reverts commit 94d316f.

* fix(entrypoint.sh): remove signing commits

Only sign tags. It may be that `commitizen` only supports signing tags.

See: commitizen-tools/commitizen#616

* fix(entrypoint.sh): remove signing configs

Remove `tag.gpgsign` and `commit.gpgsign` from local Git config.

* fix(entrypoint.sh): remove `--gpg-sign`

See if Git will sign for us instead of through `cz`.

* fix(entrypoint.sh): add `commit.gpgsign`

Remove specifying `gpg.program` and add `commit.gpgsign` back.

* fix(entrypoint.sh): add `gpg-sign` back

Add `--gpg-sign` back to `commitizen`.

* fix(entrypoint.sh): move `--gpg-sign` after bump

Switch `--gpg-sign` applies to `bump` subcommand.

* fix(entrypoint.sh): move `--debug`

Move `--debug` switch to after `bump` command.

* Revert "fix(entrypoint.sh): move `--debug`"

This reverts commit e543aff.

* fix(entrypoint.sh): add `commit.gpgsign`

* ci(test): add `gpg -K` to stdout

* ci(test): more printouts

* ci(test): even more printouts

* ci(test): print which `gpg` is running

* ci(test): let `import-gpg` setup `gpg`

* ci(test): print `gpg --version`

* feat(ci): run in docker container

* Revert "feat(ci): run in docker container"

This reverts commit 3b2cae5.

Closes: #50

Closes: #53 
Co-authored-by: Hendry, Adam <adam.hendry@metronic.com>
woile pushed a commit that referenced this issue Jan 7, 2023
@adam-grant-hendry @woile
feat(entrypoing.sh): add gpg sign
35d0a04 
fix: check_consistency beign ignored

Add input for GPG key and passphrase and whether or not to sign.

Add `-s` to `bump` command if `gpg_sign` is 'true'.

Set `gpg.program`, `commit.gpgsign`, and `tag.gpgsign`.

Git requires `signingkey` to sign commits and tags.

feat(debug): add option for debug output

Git takes the UID for the signing key, not the key itself.

Add `gpg.program` to Git config.

Use bash script to configure the GPG agent, import keys, set the
passphrase, and configure Git.

Use `service` as `systemctl` is not on GitHub Actions runners.

This reverts commit 2cf68aa.

This reverts commit a1c8571.

This reverts commit 94d316f.

Only sign tags. It may be that `commitizen` only supports signing tags.

See: commitizen-tools/commitizen#616

Remove `tag.gpgsign` and `commit.gpgsign` from local Git config.

See if Git will sign for us instead of through `cz`.

Remove specifying `gpg.program` and add `commit.gpgsign` back.

Add `--gpg-sign` back to `commitizen`.

Switch `--gpg-sign` applies to `bump` subcommand.

Move `--debug` switch to after `bump` command.

This reverts commit e543aff.

This reverts commit 3b2cae5.

Closes: #50

Closes: #53

Co-authored-by: Hendry, Adam <adam.hendry@metronic.com>
woile pushed a commit that referenced this issue Jan 7, 2023
@adam-grant-hendry @woile
feat(entrypoing.sh): add gpg sign
4f2ea33 
fix: check_consistency flag being ignored

Add input for GPG key and passphrase and whether or not to sign.

Add `-s` to `bump` command if `gpg_sign` is 'true'.

Set `gpg.program`, `commit.gpgsign`, and `tag.gpgsign`.

Git requires `signingkey` to sign commits and tags.

feat(debug): add option for debug output

Git takes the UID for the signing key, not the key itself.

Add `gpg.program` to Git config.

Use bash script to configure the GPG agent, import keys, set the
passphrase, and configure Git.

Use `service` as `systemctl` is not on GitHub Actions runners.

This reverts commit 2cf68aa.

This reverts commit a1c8571.

This reverts commit 94d316f.

Only sign tags. It may be that `commitizen` only supports signing tags.

See: commitizen-tools/commitizen#616

Remove `tag.gpgsign` and `commit.gpgsign` from local Git config.

See if Git will sign for us instead of through `cz`.

Remove specifying `gpg.program` and add `commit.gpgsign` back.

Add `--gpg-sign` back to `commitizen`.

Switch `--gpg-sign` applies to `bump` subcommand.

Move `--debug` switch to after `bump` command.

This reverts commit e543aff.

This reverts commit 3b2cae5.

Closes: #50

Closes: #53

Co-authored-by: Hendry, Adam <adam.hendry@metronic.com>
@brazarb brazarb mentioned this issue Jun 28, 2023
Open
@suasuasuasuasua
Copy link

Hey! I had a question about the workarounds. I have a workflow pretty similar to #72 using crazy-max/ghaction-import-gpg@v6. I'm getting an error where there isn't a secret key found by GPG. I used the name and email output from the import-gpg step, so they are definitely matching.

gpg (GnuPG) 2.4.7
libgcrypt 1.10.3
Copyright (C) 2024 g10 Code GmbH
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /github/home/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
git version 2.47.1
Configuring Git username, email, and pull behavior...
Git name: github-actions[bot]
Git email: github-actions@users.noreply.github.com
pip install commitizen
...
Commitizen version: 4.1.0
cz --debug --no-raise 21 bump --yes --gpg-sign --changelog --git-output-to-stderr --changelog-to-stdout >body.md
bump: version 0.1.1 → 0.1.2
tag to create: 0.1.2
increment detected: PATCH
[main b66d848] bump: version 0.1.1 → 0.1.2
 2 files changed, 7 insertions(+), 1 deletion(-)
error: gpg failed to sign the data:
gpg: directory '/github/home/.gnupg' created
gpg: skipped "github-actions[bot] <github-actions@users.noreply.github.com>": No secret key
[GNUPG:] INV_SGNR 9 github-actions[bot] <github-actions@users.noreply.github.com>
[GNUPG:] FAILURE sign 17
gpg: signing failed: No secret key
error: unable to sign the tag
The tag message has been left in .git/TAG_EDITMSG
Traceback (most recent call last):
  File "/usr/local/bin/cz", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.10/site-packages/commitizen/cli.py", line 651, in main
    args.func(conf, arguments)()
  File "/usr/local/lib/python3.10/site-packages/commitizen/commands/bump.py", line 400, in __call__
    raise BumpTagFailedError(c.err)
commitizen.exceptions.BumpTagFailedError: error: gpg failed to sign the data:
gpg: directory '/github/home/.gnupg' created
gpg: skipped "github-actions[bot] <github-actions@users.noreply.github.com>": No secret key
[GNUPG:] INV_SGNR 9 github-actions[bot] <github-actions@users.noreply.github.com>
[GNUPG:] FAILURE sign 17
gpg: signing failed: No secret key
error: unable to sign the tag
The tag message has been left in .git/TAG_EDITMSG

Could you explain the workaround?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add GPG Signing Support adam-grant-hendry/commitizen-action
2 participants
@adam-grant-hendry @suasuasuasuasua