Gradle uploadArchives task unable to read secret key - gradle

I have created a gradle project and everything builds fine, but when I try to upload to my Maven repository, I get the following Gradle error:
FAILURE: Build failed with an exception.
* What went wrong:
Could not evaluate onlyIf predicate for task ':library:signArchives'.
> Unable to read secret key from file: C:\Users\ideal\pubring.gpg (it may not be a PGP secret key ring)
I followed the instructions at Sonatype to generate the key, then copied it from its generated location to the location listed above. I have also published the public key to MITs key repository. The gradle.properties file in my user directory contains the following entries related to the keychain:
signing.keyId=MY_KEY_ID
signing.password=MY_KEY_PASSWORD
signing.secretKeyRingFile=C:\\Users\\ideal\\pubring.gpg
This is on a Windows platform. I have tried searching for the error message but the only thing which comes up is the source files for the related plugins.

The secring.gpg file has been removed in GPG 2.1.
However, GPG still can create such a file: gpg --export-secret-keys -o secring.gpg
Pro Tip: If Gradle's signing plugin complains that your key in signing.keyId=MY_KEY_ID is too long, you're certainly using the 40 characters fingerprint but are asked for the 8 char ID. You've got three options then:
You can configure GPG to show the 8 char ID instead of the fingerprint by setting the keyid-format option.
a) Either explicitly define this option on CLI: gpg --list-keys --keyid-format short (Thanks tjheslin1!)
b) Or activate this option implicitly through the options file (default location is ~/.gnupg/gpg.conf).
Try the last 8 digits of your 40 chars fingerprint. This is for the lazy developer ;-)

The problem is that you are using the public key, switch to the secret key, normally named "secring.gpg".
So in your case it should placed in
C:\Users\ideal\secring.gpg

The "secring.gpg" file may not be needed in GPG 2.1 and later versions, and can be generated with commands:
"gpg --export-secret-keys -o \dir\secring.gpg"

Related

Stop gpg from asking for the key everytime I commit

Essentially what I want is to not have to type in the password every single time I commit in git.
When looking for a solution i found this.
So it's telling me to set default-cache-ttl and max-cache-ttl in the config file. But that file doesn't seem to be in C:\users<name>.gnupg in my installation. (I'm running windows 10, GPG version 2.2.23 according to gpg --version)
I next found this post which suggests that that will be in %appdata%\gnupg which the file is not there. I try to add this file with the following contents:
default-cache-ttl 2592000
max-cache-ttl 2592000
when I restart gpg with the following commands
gpgconf.exe --reload gpg-agent
gpgconf.exe --list-options gpg-agent
it outputs this:
Monitor:1:0:Options controlling the diagnostic output:0:0::::
verbose:12:0:verbose:0:0::::
quiet:8:0:be somewhat more quiet:0:0::::
Configuration:1:0:Options controlling the configuration:0:0::::
disable-scdaemon:8:1:do not use the SCdaemon:0:0::::
enable-ssh-support:0:0:enable ssh support:0:0::::
ssh-fingerprint-digest:24:2:use ALGO to show ssh fingerprints:1:1:ALGO:"md5::
enable-putty-support:0:0:enable putty support:0:0::::
Debug:1:1:Options useful for debugging:0:0::::
debug-level:26:1:set the debugging level to LEVEL:1:1:LEVEL:"none::
log-file:8:1:write server mode logs to FILE:32:1:FILE:::
Security:1:0:Options controlling the security:0:0::::
default-cache-ttl:24:0:expire cached PINs after N seconds:3:3:N:600::2592000
default-cache-ttl-ssh:24:1:expire SSH keys after N seconds:3:3:N:1800::
max-cache-ttl:24:2:set maximum PIN cache lifetime to N seconds:3:3:N:7200::2592000
max-cache-ttl-ssh:24:2:set maximum SSH key lifetime to N seconds:3:3:N:7200::
ignore-cache-for-signing:8:0:do not use the PIN cache when signing:0:0::::
allow-emacs-pinentry:8:1:allow passphrase to be prompted through Emacs:0:0::::
grab:8:2::0:0::::
no-allow-external-cache:8:0:disallow the use of an external password cache:0:0::::
no-allow-mark-trusted:8:1:disallow clients to mark keys as "trusted":0:0::::
no-allow-loopback-pinentry:8:2:disallow caller to override the pinentry:0:0::::
Passphrase policy:1:1:Options enforcing a passphrase policy:0:0::::
enforce-passphrase-constraints:8:2:do not allow bypassing the passphrase policy:0:0::::
min-passphrase-len:24:1:set minimal required length for new passphrases to N:3:3:N:8::
min-passphrase-nonalpha:24:2:require at least N non-alpha characters for a new passphrase:3:3:N:1::
check-passphrase-pattern:24:2:check new passphrases against pattern in FILE:32:1:FILE:::
max-passphrase-days:24:2:expire the passphrase after N days:3:3:N:0::
enable-passphrase-history:8:2:do not allow the reuse of old passphrases:0:0::::
pinentry-timeout:24:1:set the Pinentry timeout to N seconds:3:3:N:0::
which seems to suggest that this is working, even though it's not. What am I missing here?
I had a similar issue and found this answer helpful.
Turns out I had two versions of gpg installed. One installed with Git and another one installed manually. I was configuring the manual one, but git was using a different one.
The big gotcha, though, is that Git also installs its own version of GnuPG (gpg.exe), and uses it by default. The version that comes with Git uses %USERPROFILE%.gnupg. On modern versions of Windows, this would be C:\Users%USERNAME%.gnupg.
https://superuser.com/questions/1068980/where-is-my-gpgconf-file-on-windows

Replace Source Files When Compiling CentOS Kernel with RPM

I am trying to modify one of the CentOS (7.6) kernel source file and recompile all of them for later installation.
I followed the guide on wiki.centos to do customized kernel:
https://wiki.centos.org/HowTos/Custom_Kernel
I found that in step 5, the RPM method always unpacked source files from tar files and replaced my modification in BUILD/.
Therefore, I changed my way. I put my modification at another place and added a line in kernel.spec file under SPECS/ to copy my file into the BUILD/. Namely, one-line with cp command is put before %build in the kernel.spec (after unpacked). However, the compilation went wrong in the %build section:
...
Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.Vd6by5
BUILDING A KERNEL FOR x86_64...
USING ARCH=x86_64
...
###
### Now generating an X.509 key pair to be used for signing modules.
###
### If this takes a long time, you might wish to run rngd in the
### background to keep the supply of entropy topped up. It
### needs to be run as root, and uses a hardware random
### number generator if one is available.
###
Generating a 3072 bit RSA private key
....++
......................................................................................................................................................................................++
writing new private key to 'signing_key.priv'
-----
###
### Key pair generated.
###
- Including cert /home/user/rpmbuild/BUILD/kernel-3.10.0-957.12.2.el7/linux-3.10.0-957.12.2.el7.v2.x86_64/centos-kpatch.x509
- Including cert /home/user/rpmbuild/BUILD/kernel-3.10.0-957.12.2.el7/linux-3.10.0-957.12.2.el7.v2.x86_64/centos-ldup.x509
- Including cert signing_key.x509
RPM build errors:
Could somebody suggest me a better way to replace the source file in the compilation procedure?
Thanks.
I found the solution myself. Instead of directly replacing files, we should apply patch within RPM to indicate the differences between modified file and original file.
Firstly, use diff command to build patch. Then, modify spec file, kernel.spec, applying the patch to the building procedure.
This website shows the example when using this way to compile kernel:
https://www.hiroom2.com/2016/05/29/centos-7-rebuild-kernel-with-src-rpm/
A more clear reference for patching files:
https://rpm-packaging-guide.github.io/#patching-software

Having problems getting electron builder to sign a mac build

I don't know why electron-builder cannot find a valid identity.
Using the environment variable to debug, I always end up with the same problem where it says there is no valid identity despite listing there to be 1 valid identity underneath.
I have tried specifying the cert name as the "identity" property of the top level key "mac" in package json and leaving it out.
I have tried specifying the keychain (CSC_KEYCHAIN) to login.
I have tried adding the "Developer ID Application: ****" cert to login, System, and custom keychains (I don't know why electron builder keeps making extra keychains called "1").
I have tried adding an "Apple Root CA" to all those keychains from the previous line.
I have tried specifying and omitting CSC_NAME, CSC_LINK + CSC_KEY_PASSWORD.
I have tried CSC_IDENTITY_AUTO_DISCOVERY as false.
Running the command line from this page appears to work (as running spctl -a -t exec -vv 'Appname.dmg' gives back "source=Unnotarized Developer ID" ), but I would like to follow the automatic notarization process suggested here which is based off of electron-builder #3870
When I specify the identity in package json, the closest I get to is saying
Identity name is specified, but no valid identity with this name in the keychain identity=***** allIdentities=
1) BBBBBBBBB "Developer ID Application: ***** (XXXXX)"
1 identities found
Valid identities only
1) BBBBBBBBBB "Developer ID Application: ***** (XXXXX)" <---lists the exact one above
1 valid identities found
at/........
When I run security find-identity -v, or security find-identity -v -p codesigning, the exact same cert appears again.
Have I missed anything?

How to sign with gradle and gpg2

The gradle signing plugin requires secring.gpg keyring file, according to the documentation: https://docs.gradle.org/current/userguide/signing_plugin.html
But since gpg version 2.1 the secring.gpg does not exist anymore.
https://www.gnupg.org/faq/whats-new-in-2.1.html
Is there a possibility to use the signing plugin of gradle with gpg >= 2.1?
I just encountered the same issue and solved it by manually creating a secring.gpg file by executing the following terminal command:
gpg --keyring secring.gpg --export-secret-key XXXXXXXX > secring.gpg
You have to replace XXXXXXXX with the ID of the key you want to use. You can list all available keys by using the command gpg --list-key.
Edit: I forgot to mention, that I am using Linux.
I also faced with the same issue that I could'n solve with the gpg --export-secret-key, like this.
gpg: WARNING: nothing exported
Actually my gpg's version was 1.4.xx (with gpg --version) and there was another: gpg2.
So try this:
gpg2 --export-secret-key XXXXXXXX > secring.gpg
For people reaching this issue in 2017+, starting with Gradle 4.5, using GnuPG 2 (and gpg-agent) is fully supported. From the signing plugin documentation:
signing {
useGpgCmd()
sign configurations.archives
}
In addition, there have to be defined (at least) signing.gnupg.keyName (most likely in ~/.gradle/gradle.properties).
Please pay attention that the properties to defined key (signing.gnupg.keyName), key store (signing.gnupg.homeDir), passphrase (signing.gnupg.passphrase), etc. differ from those used in the previous Gradle versions (are in signing.gnupg.* not just signing.*).

Windows 8 driver install and catalog/signature validation

I can't get windows 8 (release preview) to accept either the inf2cat or makecat approach described as solutions to the question at
What changed in the driver signature requirements for Windows 8?
unless I disable validation.
I am not signing these with any certificates at this point, just trying to get past the errors preventing the drivers from installing at all.
Windows 8 gives me a very nondescript error:
"A problem was encountered while attempting to add the driver to the store."
Looking in the event logs, there is nothing of use; only an informational entry from "Windows Error Reporting" indicating a PnPdriverimporterror.
When i use my original files with the cab files that don't match the inf, I get the error everyone else is listing:
The hash for the file is not present in the specified catalog file.
I have one .inf file that i need to generate a .cat for.
Perhaps I am doing something wrong. Ideas??
INF2CAT Approach
c:\win_xp_vista32_64>inf2cat /driver:"." /os:XP_X86,XP_x64,Vista_X86,Vista_x64,7_X86,7_X64,8_X86,8_X64
.......................
Signability test complete.
Errors:
None
Warnings:
22.9.10: usbser.sys in [drivercopyfiles.nt] is missing from [SourceDisksFiles] s
ection in \mchpcdc.inf; ok if file source is provided via LayoutFile in [Version
].
22.9.10: %driverfilename%.sys in [drivercopyfiles.ntamd64] is missing from [Sour
ceDisksFiles] section in \mchpcdc.inf; ok if file source is provided via LayoutF
ile in [Version].
Catalog generation complete.
c:\win_xp_vista32_64\mchpcdc.cat
MAKECAT approach
--- start of catalog.cdf file---
[CatalogHeader]
Name=mchpcdc.cat
ResultDir=.\
[CatalogFiles]
<hash>mchpcdc=.\mchpcdc.inf
---end of .cdf file ---
c:\win_xp_vista32_64>makecat catalog.cdf
These same files, w/ the cat from either approach install just fine in Windows 7.
I think this problem is to do with "windows driver signing enforcement". You can resolve this by disabling this option. Go through with below link:
http://tivadj-tech.blogspot.in/2012/09/certificate-check-error-when-installing.html
I just tested this on Windows 10 and 8 PRO now, to get this right, follow these steps:
1) From your Start menu, locate your DDK's "x64 Checked Build Environment" i.e. the custom DOS build screen. Right-click, run-as administrator...
2) Compile your source with the Build tools etc.
3) Go into your compiled code, and then create your test-certificate (you don't need to purchase one just yet, use your self-signed one created with the line below):
makecert -r -pe -ss PrivateCertStore -n CN=newhex.com(Test) NewhexTest.cer
The above means your certificate is called "newhex.com(Test)" and the generated file is "NewhexTest.cer"
4) Create / Edit your .CDF file which contains items about what your CAT file's contents.
5) Create your CAT file by executing:
makecat -v MyCDF.CDF
This should generate an un-signed CAT file that includes all files specified by your CDF.
6) Sign your CAT file as follows:
Signtool sign /v /s PrivateCertStore /n newhex.com(test) /t http://timestamp.verisign.com/scripts/timestamp.dll MyDriverWhatever.cat
This should result in a CAT file that is signed, but don't just install it, because your Windows can't trust Newhex's cert since it's not in the keystore, to fix this do:
7) Add your certificate to your private Key Store, remember this step MUST be done by an administrators access, otherwise you will get an error about (Keystore not found etc):
certmgr.exe -add NewhexTest.cer -s -r localMachine root
This should add into your keystore, Once done, you can then:
8) Go into your device manager, and add your new driver, you would get a warning but will be accepted and installed without the need to reboot with a forced (Don't check cert type account).
I tried this already and it works on Windows 10 and Windows 8 pro versions.
Kind Regards
Heider Sati
You are supposed to use inf2cat, not makecat, because you have an INF file.
You should work on addressing those warnings from inf2cat by fixing your INF file. Here is my INF file that uses usbser.sys and doesn't cause any warnings: https://gist.github.com/3647208
I was able to fix my INF file thanks to the advice from chinzei in the first post of this thread: http://www.microchip.com/forums/m488342-print.aspx
If you continue to have trouble, please edit your question to include the source of your INF file, or at least a link to the source.
I encounter the same problem and was able to install my driver with a TEST certificate using the instructions provided here:
http://msdn.microsoft.com/en-us/windows/hardware/gg487328.aspx

Resources