I'm building an Android apk using Github actions, and I need to use the Android sign key in order to sign it before releasing it.
To do so I'm using the technic described here with GPG to encrypt the release key as base64 string, and use it as a secret in Github actions.
Then, inside my workflow, I use GPG to decrypt it back into the key file.
However, this process that works fine on my mac, is failing in Github actions.
Running this
- name: Decode keystore file
run: |
echo "${{ secrets.KEY_STORE }}" > release.keystore.asc
gpg -d --passphrase "${{ secrets.KEY_STORE_PASSPHRASE }}" --batch release.keystore.asc > signing-key.jks
results in this
gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: Unknown system error
##[error]Process completed with exit code 2.
Running sudo apt-get install ca-certificates before using GPG is at no help either, since it says that it's already installed.
Any ideas?
It seems release.keystore.asc contains invalid PGP data or no data at all. First, I would check the content of a release.keystore.asc. You can upload the file as an artifact then download it to examine its contents. Modify the workflow by adding the upload-artifact action step after Decode keystore file step
- name: Decode keystore file
run: |
echo "${{ secrets.KEY_STORE }}" > release.keystore.asc
gpg -d --passphrase "${{ secrets.KEY_STORE_PASSPHRASE }}" --batch release.keystore.asc > signing-key.jks
- uses: actions/upload-artifact#v2
if: failure()
with:
name: release.keystore.asc
path: release.keystore.asc
Now you can download the release.keystore.asc artifact (it will be zipped so you have to unzip it) and check if the file contains valid PGP data (the file should start with -----BEGIN PGP MESSAGE----- and end with -----END PGP MESSAGE----- and contain valid encrypted PGP content between). If it does not then it means KEY_STORE secret contains invalid data.
I was getting same error. I made a silly mistake, not sure if you also made same.
while copying the base 64 key store string to git secret, I was only copying the base64 string and not the whole file. i.e.
whole .asc file is like this:
-----BEGIN PGP MESSAGE-----
**base64 string here**
-----END PGP MESSAGE-----
You need to copy this whole file content (including BEGIN PGP and END PGP message). This solved my problem.
Related
I am trying to sign my APK file with keystore.jks file manually to publish my App on Google Play Store.
here are the commands I am following.
zipalign -v -p 4 com.VolMobileApp.Android.apk com.VolMobileAppAligned.Android.apk
apksigner sign --ks h2vkeystore.jks --out com.VolMobileAppRelease.Android.apk com.VolMobileAppAligned.Android.apk
Here is the issue. I tried to look for a solution but did not succeed.
When Second Command asks
Keystore password for signer #1:
After filling password it returns the error given below. Earlier there was no error.
Failed to load signer "signer #1"
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:666)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71)
at java.security.KeyStore.load(KeyStore.java:1445)
at com.android.apksigner.SignerParams.loadKeyStoreFromFile(SignerParams.java:353)
at com.android.apksigner.SignerParams.loadPrivateKeyAndCertsFromKeyStore(SignerParams.java:239)
at com.android.apksigner.SignerParams.loadPrivateKeyAndCerts(SignerParams.java:181)
at com.android.apksigner.ApkSignerTool.getSignerConfig(ApkSignerTool.java:368)
at com.android.apksigner.ApkSignerTool.sign(ApkSignerTool.java:291)
at com.android.apksigner.ApkSignerTool.main(ApkSignerTool.java:84)
I am not able to detect what I am doing wrong, but the difference I notice is in the archived folder structure.
In my case solved the problem by signing the .APK whit the values signed into the keystore that we configured to create the APK file in Release mode.
I taked the Microsoft example in here
and here I put the same values
That way a solved my problem with
"java.exe" exited with code 2
But the real information problem was in output:
Failed to load signer "signer #1" java.io.IOException: Invalid keystore format
At the moment I don't find the real solution to this problem but, this works.
i have a file.txt.pgp which i want to decrypt in solaris. i have a key.asc file as well.
I imported the key using
gpg --import key.asc
when i am trying to decrpty the file using
gpg --decrypt file.txt.pgp
I am getting the below error
gpg:no valid OpenPGP data found.
gpg:decrypt message failed:eof
Also there is no secret/private key corresponding to the public key i imported. How can i fix this?
I'm trying to build a linux kernel for my Arch install. I'd like to verify the signatures but find I can't get the keys needed to do that:
[joemadeus#<host>]$ gpg2 -vvv --locate-keys torvalds#kernel.org gregkh#kernel.org
gpg: using character set 'iso-8859-1'
gpg: using pgp trust model
gpg: key <HEX CHARS HERE> accepted as trusted key
gpg: error retrieving 'gregkh#kernel.org` via Local: No public key
gpg: error retrieving 'gregkh#kernel.org` via WKD: No data
gpg: error reading key: No data
gpg: error retrieving 'torvalds#kernel.org` via Local: No public key
gpg: error retrieving 'torvalds#kernel.org` via WKD: No data
gpg: error reading key: No data
Obviously these keys are there and something is wrong with the way I'm going after them. Unfortunately there's nothing here that gives me any hints, even with verbose turned on. And, searching about I find... nothing.
I do have connectivity to the outside world and can get to kernel.org via http without any trouble. In fact, that's where I found out how to get the keys: https://www.kernel.org/category/signatures.html I've tried several times over the last couple of days, so I don't think kernel.org is having problems (unless they're very long-lived ones.)
I have created a key for myself with this login on the local system. I haven't pushed it out anywhere. I don't know if any of that matters.
Any hints?
The solution comes from this post, found by a friend of mine, which answers a similar question (but with a different error message): https://askubuntu.com/a/1027703
The default gpg config on Arch does not include:
auto-key-locate cert,pka,dane,wkd,keyserver
...and I did not supply it on the command line (didn't know it existed.) Once this option was specified it found the keys.
The easiest way of importing the key of Linus and Greg is by fetching it directly by fingerprint as found by your link.
Fetch Linus Torvalds key:
gpg --search-keys ABAF11C65A2970B130ABE3C479BE3E4300411886
Fetch Greg Kroah-Hartmans key:
gpg --search-keys 647F28654894E3BD457199BE38DBBDC86092693E
This approach also makes it easier to ensure you fetch the correct keys and not any key published with the email addresses.
Why does debsig-verify fail to verify when the _gpgorigin detached signature matches the combined debian-binary control.tar.gz data.tar.gz file?
Is it because of this WARNING: This key is not certified with a trusted signature!?
On debian:7 docker container package signing worked well and on debian:9.8 it fails with
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: subprocess getKeyID returned error exit status 2
Signing Process
# Unpack
ar x unsigned.deb
# Generate combine file
cat debian-binary control.tar.gz data.tar.gz > combined
# Create detached signature for combined
gpg -abs -o _gpgorigin combined
# Repack
ar rc signed.deb _gpgorigin debian-binary control.tar.gz data.tar.gz
Verify detached signature (seems successful)
gpg --output doc --decrypt _gpgorigin
Detached signature.
Please enter name of data file: combined
gpg: Signature made Thu Apr 25 22:43:37 2019 UTC
gpg: using RSA key AAAABBBBCCCCDDDD996FCC98FFFFFFFFFFFFFFFF
gpg: Good signature from "mygroup Testing <testing#mygroup.net>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: AAAA BBBB CCCC DDDD 996F CC98 FFFF FFFF FFFF FFFF
Verify signed package (fails)
debsig-verify -v -d signed.deb
debsig: Starting verification for: signed.deb
debsig: getSigKeyID: got FFFFFFFFFFFFFFFF for origin key
debsig: Using policy directory: /etc/debsig/policies/FFFFFFFFFFFFFFFF
debsig: Parsing policy file: /etc/debsig/policies/FFFFFFFFFFFFFFFF/mygroup-test.pol
debsig: parsePolicyFile: parsing '/etc/debsig/policies/FFFFFFFFFFFFFFFF/mygroup-test.pol'
debsig: parsePolicyFile: completed
debsig: Checking Selection group(s).
debsig: Processing 'origin' key...
gpg: no valid OpenPGP data found.
gpg: processing message failed: Unknown system error
debsig: subprocess getKeyID returned error exit status 2
Key Listing for policie's keyring
gpg --no-default-keyring --keyring /usr/share/debsig/keyrings/FFFFFFFFFFFFFFFF/pubring.gpg --list-sigs
/usr/share/debsig/keyrings/FFFFFFFFFFFFFFFF/pubring.gpg
-------------------------------------------------------
pub rsa2048 2017-06-19 [SC]
AAAABBBBCCCCDDDD996FCC98FFFFFFFFFFFFFFFF
uid [ unknown] MyGroup Testing <testing#mygroup.net>
sig 3 FFFFFFFFFFFFFFFF 2017-06-19 MyGroup Testing <testing#mygroup.net>
sub rsa2048 2017-06-19 [E]
sig FFFFFFFFFFFFFFFF 2017-06-19 MyGroup Testing <testing#mygroup.net>
I've just had a similar problem, and found a number of things that I was doing wrong, that aren't obvious from the documentation/examples:
make sure that the policy file has the XML namespace using https (not http as the few examples use) i.e. <Policy xmlns="https://www.debian.org/debsig/1.0/">
the 'keyring' file isn't a keyring, it's just a (public) key.
the 'keyring' file must NOT be ASCII-armoured.
With the above changes, package verification succeeded (Ubuntu 18.04)
I had the same error.
To clarify Anthony's answer, the key file cannot be imported to the keyring.
It has to be a public key that is copied to the keyring folder.
(Example using DDDF2F4CE732A79A)
This will cause the error
$ gpg --no-default-keyring \
--keyring /usr/share/debsig/keyrings/DDDF2F4CE732A79A/debsig.gpg \
--import <public key>
This will work
$ cp <public key> /usr/share/debsig/keyrings/DDDF2F4CE732A79A/debsig.gpg
I'm trying to enable push notifications in my app, the problem is that I can't generate the certificate because whenever I upload my CSR (generated from Windows) I get the following error:
Invalid CSR Select a valid Certificate Signing Request.
The CSR was generated using the following specs:
Key Size 2048 bit
RSA Algorithm
I did the same process last year and I was able to generate the certificate but now all I get is the error above.. did Apple change anything about the CSR or am I missing something?
found it........
The CSR first and last line were:
-----BEGIN NEW CERTIFICATE REQUEST-----
.
.
.
-----END NEW CERTIFICATE REQUEST-----
I had to remove the NEW word and it worked, I was able to generate the .cer file