How to sign with gradle and gpg2 - gradle

The gradle signing plugin requires secring.gpg keyring file, according to the documentation: https://docs.gradle.org/current/userguide/signing_plugin.html
But since gpg version 2.1 the secring.gpg does not exist anymore.
https://www.gnupg.org/faq/whats-new-in-2.1.html
Is there a possibility to use the signing plugin of gradle with gpg >= 2.1?

I just encountered the same issue and solved it by manually creating a secring.gpg file by executing the following terminal command:
gpg --keyring secring.gpg --export-secret-key XXXXXXXX > secring.gpg
You have to replace XXXXXXXX with the ID of the key you want to use. You can list all available keys by using the command gpg --list-key.
Edit: I forgot to mention, that I am using Linux.

I also faced with the same issue that I could'n solve with the gpg --export-secret-key, like this.
gpg: WARNING: nothing exported
Actually my gpg's version was 1.4.xx (with gpg --version) and there was another: gpg2.
So try this:
gpg2 --export-secret-key XXXXXXXX > secring.gpg

For people reaching this issue in 2017+, starting with Gradle 4.5, using GnuPG 2 (and gpg-agent) is fully supported. From the signing plugin documentation:
signing {
useGpgCmd()
sign configurations.archives
}
In addition, there have to be defined (at least) signing.gnupg.keyName (most likely in ~/.gradle/gradle.properties).
Please pay attention that the properties to defined key (signing.gnupg.keyName), key store (signing.gnupg.homeDir), passphrase (signing.gnupg.passphrase), etc. differ from those used in the previous Gradle versions (are in signing.gnupg.* not just signing.*).

Related

Stop gpg from asking for the key everytime I commit

Essentially what I want is to not have to type in the password every single time I commit in git.
When looking for a solution i found this.
So it's telling me to set default-cache-ttl and max-cache-ttl in the config file. But that file doesn't seem to be in C:\users<name>.gnupg in my installation. (I'm running windows 10, GPG version 2.2.23 according to gpg --version)
I next found this post which suggests that that will be in %appdata%\gnupg which the file is not there. I try to add this file with the following contents:
default-cache-ttl 2592000
max-cache-ttl 2592000
when I restart gpg with the following commands
gpgconf.exe --reload gpg-agent
gpgconf.exe --list-options gpg-agent
it outputs this:
Monitor:1:0:Options controlling the diagnostic output:0:0::::
verbose:12:0:verbose:0:0::::
quiet:8:0:be somewhat more quiet:0:0::::
Configuration:1:0:Options controlling the configuration:0:0::::
disable-scdaemon:8:1:do not use the SCdaemon:0:0::::
enable-ssh-support:0:0:enable ssh support:0:0::::
ssh-fingerprint-digest:24:2:use ALGO to show ssh fingerprints:1:1:ALGO:"md5::
enable-putty-support:0:0:enable putty support:0:0::::
Debug:1:1:Options useful for debugging:0:0::::
debug-level:26:1:set the debugging level to LEVEL:1:1:LEVEL:"none::
log-file:8:1:write server mode logs to FILE:32:1:FILE:::
Security:1:0:Options controlling the security:0:0::::
default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::2592000
default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800::
max-cache-ttl:24:2:set maximum PIN cache lifetime to N seconds:3:3:N:7200::2592000
max-cache-ttl-ssh:24:2:set maximum SSH key lifetime to N seconds:3:3:N:7200::
ignore-cache-for-signing:8:0:do not use the PIN cache when signing:0:0::::
allow-emacs-pinentry:8:1:allow passphrase to be prompted through Emacs:0:0::::
grab:8:2::0:0::::
no-allow-external-cache:8:0:disallow the use of an external password cache:0:0::::
no-allow-mark-trusted:8:1:disallow clients to mark keys as "trusted":0:0::::
no-allow-loopback-pinentry:8:2:disallow caller to override the pinentry:0:0::::
Passphrase policy:1:1:Options enforcing a passphrase policy:0:0::::
enforce-passphrase-constraints:8:2:do not allow bypassing the passphrase policy:0:0::::
min-passphrase-len:24:1:set minimal required length for new passphrases to N:3:3:N:8::
min-passphrase-nonalpha:24:2:require at least N non-alpha characters for a new passphrase:3:3:N:1::
check-passphrase-pattern:24:2:check new passphrases against pattern in FILE:32:1:FILE:::
max-passphrase-days:24:2:expire the passphrase after N days:3:3:N:0::
enable-passphrase-history:8:2:do not allow the reuse of old passphrases:0:0::::
pinentry-timeout:24:1:set the Pinentry timeout to N seconds:3:3:N:0::
which seems to suggest that this is working, even though it's not. What am I missing here?
I had a similar issue and found this answer helpful.
Turns out I had two versions of gpg installed. One installed with Git and another one installed manually. I was configuring the manual one, but git was using a different one.
The big gotcha, though, is that Git also installs its own version of GnuPG (gpg.exe), and uses it by default. The version that comes with Git uses %USERPROFILE%.gnupg. On modern versions of Windows, this would be C:\Users%USERNAME%.gnupg.
https://superuser.com/questions/1068980/where-is-my-gpgconf-file-on-windows

windows - Why firefox only trust certificate which certutil install?

I recent research about certificate in windows.
I try two different way to install certificate:
1. Use certutil command to install. ex: certutil -addstore -f "ROOT" rootCA.pem
2. Use Microsoft api to install.
certStore = CertOpenSystemStore(NULL, "ROOT")
CertAddEncodedCertificateToStore(
certStore,
X509_ASN_ENCODING | PKCS_7_ASN_ENCODING,
rootCACert,
len(rootCACert),
CERT_STORE_ADD_REPLACE_EXISTING,
NULL
)
After installed, I use certmgr.msc to check it success.
And firefox's security.enterprise_roots.enabled set True.
But I found a strange situation.
Firefox only trust certificate which certutil install.
Can somebody tell me why?
Thanks in advance!
According to the Mozilla Wiki there are differences in Versions:
As of version 49, ... Firefox will inspect the HKLM\SOFTWARE\Microsoft\SystemCertificates registry location (corresponding to the API flag CERT_SYSTEM_STORE_LOCAL_MACHINE)
and
As of version 52, Firefox will also search the registry locations HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates (corresponding to the API flags CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, respectively).
So it would be nice to know what version you use.
To answer your question: As the flags of the stores searched are named in the wiki it seems you are using the wrong store in your API solution. Have a look at the function CertOpenStore instead of CertOpenSystemStore. This allows to pass e.g. CERT_SYSTEM_STORE_LOCAL_MACHINE as dwFlags to open the store Mozilla searches.

Verify TortoiseGit-2.8.0.0-64bit.msi with gpg2

I want to download and verify TortoiseGit-2.8.0.0-64bit.msi
I use gnupg2 (in Cygwin)
The TortoiseGit download page provides these files:
TortoiseGit-2.8.0.0-64bit.msi
TortoiseGit-2.8.0.0-64bit.msi.rsa.asc
I did the below to verify a download (but got: No public key):
$ gpg2 --auto-key-locate keyserver --keyserver-options auto-key-retrieve --
verify TortoiseGit-2.8.0.0-64bit.msi.rsa.asc TortoiseGit-2.8.0.0-64bit.msi
gpg: Signature made Thu, Feb 28, 2019 4:34:13 PM EST
gpg: using RSA key 74A21AE301B3CA5BD8072F5EF7F17B3F9DD9539E
gpg: requesting key F7F17B3F9DD9539E from hkp server keys.gnupg.net
gpg: Can't check signature: No public key
Since I don't have a .sig I tried and got:
$ gpg2 --import TortoiseGit-2.8.0.0-64bit.msi.rsa.asc
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0
I can't understand how then to properly verify this download -- if anyone can show the correct method it would be greatly appreciated!
Thank you!
The key is available here: https://download.tortoisegit.org/keys.
As the MSI files are also signed using AuthentiCode, there is no real need for the GPG signatures for end users. - The GPG signatures are used by the auto-updater in order to verify the integrity of the update packages (despite the fact that those are also downloaded using HTTPs).
If you need another trust root, you can call TortoiseGitProc.exe /command:pgpfp in order to display the GPG fingerprint.

Gradle uploadArchives task unable to read secret key

I have created a gradle project and everything builds fine, but when I try to upload to my Maven repository, I get the following Gradle error:
FAILURE: Build failed with an exception.
* What went wrong:
Could not evaluate onlyIf predicate for task ':library:signArchives'.
> Unable to read secret key from file: C:\Users\ideal\pubring.gpg (it may not be a PGP secret key ring)
I followed the instructions at Sonatype to generate the key, then copied it from its generated location to the location listed above. I have also published the public key to MITs key repository. The gradle.properties file in my user directory contains the following entries related to the keychain:
signing.keyId=MY_KEY_ID
signing.password=MY_KEY_PASSWORD
signing.secretKeyRingFile=C:\\Users\\ideal\\pubring.gpg
This is on a Windows platform. I have tried searching for the error message but the only thing which comes up is the source files for the related plugins.
The secring.gpg file has been removed in GPG 2.1.
However, GPG still can create such a file: gpg --export-secret-keys -o secring.gpg
Pro Tip: If Gradle's signing plugin complains that your key in signing.keyId=MY_KEY_ID is too long, you're certainly using the 40 characters fingerprint but are asked for the 8 char ID. You've got three options then:
You can configure GPG to show the 8 char ID instead of the fingerprint by setting the keyid-format option.
a) Either explicitly define this option on CLI: gpg --list-keys --keyid-format short (Thanks tjheslin1!)
b) Or activate this option implicitly through the options file (default location is ~/.gnupg/gpg.conf).
Try the last 8 digits of your 40 chars fingerprint. This is for the lazy developer ;-)
The problem is that you are using the public key, switch to the secret key, normally named "secring.gpg".
So in your case it should placed in
C:\Users\ideal\secring.gpg
The "secring.gpg" file may not be needed in GPG 2.1 and later versions, and can be generated with commands:
"gpg --export-secret-keys -o \dir\secring.gpg"

Windows 8 driver install and catalog/signature validation

I can't get windows 8 (release preview) to accept either the inf2cat or makecat approach described as solutions to the question at
What changed in the driver signature requirements for Windows 8?
unless I disable validation.
I am not signing these with any certificates at this point, just trying to get past the errors preventing the drivers from installing at all.
Windows 8 gives me a very nondescript error:
"A problem was encountered while attempting to add the driver to the store."
Looking in the event logs, there is nothing of use; only an informational entry from "Windows Error Reporting" indicating a PnPdriverimporterror.
When i use my original files with the cab files that don't match the inf, I get the error everyone else is listing:
The hash for the file is not present in the specified catalog file.
I have one .inf file that i need to generate a .cat for.
Perhaps I am doing something wrong. Ideas??
INF2CAT Approach
c:\win_xp_vista32_64>inf2cat /driver:"." /os:XP_X86,XP_x64,Vista_X86,Vista_x64,7_X86,7_X64,8_X86,8_X64
.......................
Signability test complete.
Errors:
None
Warnings:
22.9.10: usbser.sys in [drivercopyfiles.nt] is missing from [SourceDisksFiles] s
ection in \mchpcdc.inf; ok if file source is provided via LayoutFile in [Version
].
22.9.10: %driverfilename%.sys in [drivercopyfiles.ntamd64] is missing from [Sour
ceDisksFiles] section in \mchpcdc.inf; ok if file source is provided via LayoutF
ile in [Version].
Catalog generation complete.
c:\win_xp_vista32_64\mchpcdc.cat
MAKECAT approach
--- start of catalog.cdf file---
[CatalogHeader]
Name=mchpcdc.cat
ResultDir=.\
[CatalogFiles]
<hash>mchpcdc=.\mchpcdc.inf
---end of .cdf file ---
c:\win_xp_vista32_64>makecat catalog.cdf
These same files, w/ the cat from either approach install just fine in Windows 7.
I think this problem is to do with "windows driver signing enforcement". You can resolve this by disabling this option. Go through with below link:
http://tivadj-tech.blogspot.in/2012/09/certificate-check-error-when-installing.html
I just tested this on Windows 10 and 8 PRO now, to get this right, follow these steps:
1) From your Start menu, locate your DDK's "x64 Checked Build Environment" i.e. the custom DOS build screen. Right-click, run-as administrator...
2) Compile your source with the Build tools etc.
3) Go into your compiled code, and then create your test-certificate (you don't need to purchase one just yet, use your self-signed one created with the line below):
makecert -r -pe -ss PrivateCertStore -n CN=newhex.com(Test) NewhexTest.cer
The above means your certificate is called "newhex.com(Test)" and the generated file is "NewhexTest.cer"
4) Create / Edit your .CDF file which contains items about what your CAT file's contents.
5) Create your CAT file by executing:
makecat -v MyCDF.CDF
This should generate an un-signed CAT file that includes all files specified by your CDF.
6) Sign your CAT file as follows:
Signtool sign /v /s PrivateCertStore /n newhex.com(test) /t http://timestamp.verisign.com/scripts/timestamp.dll MyDriverWhatever.cat
This should result in a CAT file that is signed, but don't just install it, because your Windows can't trust Newhex's cert since it's not in the keystore, to fix this do:
7) Add your certificate to your private Key Store, remember this step MUST be done by an administrators access, otherwise you will get an error about (Keystore not found etc):
certmgr.exe -add NewhexTest.cer -s -r localMachine root
This should add into your keystore, Once done, you can then:
8) Go into your device manager, and add your new driver, you would get a warning but will be accepted and installed without the need to reboot with a forced (Don't check cert type account).
I tried this already and it works on Windows 10 and Windows 8 pro versions.
Kind Regards
Heider Sati
You are supposed to use inf2cat, not makecat, because you have an INF file.
You should work on addressing those warnings from inf2cat by fixing your INF file. Here is my INF file that uses usbser.sys and doesn't cause any warnings: https://gist.github.com/3647208
I was able to fix my INF file thanks to the advice from chinzei in the first post of this thread: http://www.microchip.com/forums/m488342-print.aspx
If you continue to have trouble, please edit your question to include the source of your INF file, or at least a link to the source.
I encounter the same problem and was able to install my driver with a TEST certificate using the instructions provided here:
http://msdn.microsoft.com/en-us/windows/hardware/gg487328.aspx

Resources