Skip to content

Manage OSSRH

Artur Souza edited this page May 30, 2023 · 4 revisions

Access nexus repository

Manual deployment using maven

  • Download GPG private key from Dapr's 1Password (java-sdk-mvn-gpg-private-key secret in 1Password)
  • Base64-decode secret to private key
# for linux user
$ echo "secret" | base64 -D > gpg-private.key
  • import gpg private key to your local machine
$ gpg --batch --import gpg-private.key
  • Set the secret environment variables
export OSSRH_USER_TOKEN=user_token # See `java-sdk-ossrh-user-token` secret in 1Password
export OSSRH_PWD_TOKEN=user_pass # See `java-sdk-ossrh-user-token` secret in 1Password
export GPG_KEY=gpg_key # See `java-sdk-mvn-gpg-private-key-pass` secret in 1Password
export GPG_PWD=gpg_pwd # See `java-sdk-mvn-gpg-private-key-pass` secret in 1Password
  • Deploy by maven
export GPG_TTY=$(tty)
mvn -V -B -Dgpg.skip=false -s settings.xml deploy

Rotate GPG private key

  • Generate GPG Cert
$ export GPG_TTY=$(tty)
# when gpg asks password of cert, use `java-sdk-mvn-gpg-private-key-pass` secret in 1Password. if you want to use the different password, please update `java-sdk-mvn-gpg-private-key-pass` secret in 1Password.

$ gpg --generate-key

gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: dapr.io
Email address: [email protected]
You selected this USER-ID:          
    "dapr.io <[email protected]>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key B32573E3D5C334D9 marked as ultimately trusted
gpg: directory '/Users/youngp/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/Users/youngp/.gnupg/openpgp-revocs.d/2C250DF7621BD1A2D6B06E27B32573E3D5C334D9.rev'
public and secret key created and signed.

pub   rsa2048 2020-01-17 [SC] [expires: 2022-01-16]
      2C250DF7621BD1A2D6B06E27B32573E3D5C334D9
uid                      dapr.io <[email protected]>
sub   rsa2048 2020-01-17 [E] [expires: 2022-01-16]
  • Export private key
# e.g. KEYID is 2C250DF7621BD1A2D6B06E27B32573E3D5C334D9 in the example
$ gpg -a --export-secret-key KEYID > private-key.gpg 
  • Base64-encode private-key.gpg
base64 private-key.gpg
  • Export public key
# e.g. KEYID is 2C250DF7621BD1A2D6B06E27B32573E3D5C334D9 in the example
gpg -a --export KEYID > public-key.gpg
  • Upload public key only to https://keys.openpgp.org/upload/ - it will require to verify an e-mail sent to [email protected]

  • Update variables in GitHub Settings->secrets

    • GPG_PRIVATE_KEY with the Base64 value of the private key
    • GPG_KEY with the new Key Id (2C250DF7621BD1A2D6B06E27B32573E3D5C334D9 in this example)
    • GPG_PASS with the password used to generate the new key
  • Update java-sdk-mvm-gpg-private-key secret in keyvault

References

Clone this wiki locally