GPG-Signing of maven artifacts fails on Windows runners with actions/setup-java@v4 and maven-gpg-plugin version range [3.2.0, 3.2.7)
#629
Comments
|
Hello @ralfkonrad, Thank you for creating this issue and we will look into it :) |
|
Hello @ralfkonrad, the issue is arising from changes made in the 3.2.0 version of the Apache Maven GPG Plugin. As for the setup-java in connection with the maven-gpg-plugin, it's functioning as expected. We suggest you to report a bug with the Apache Maven GPG Plugin to address this. |
|
Hello @ralfkonrad, Can you confirm whether the issue has been addressed? |
|
Hello @mahabaleshwars, thanks for picking this up. And sorry for the late reply, busy times. Unfortunately, I didn't find the time to address this issue to the Apache Maven GPG Plugin. Regarding
Do you have more inside here? What exactly is the issue? Also, I'm not sure if it is really (only) their problem. As I mentioned above, the plugin For me it is not obvious who is responsible here and what needs to be changed. Best |
ralfkonrad
changed the title
actions/checkout@v4 and maven-gpg-plugin v3.2.4actions/setup-java@v4 and maven-gpg-plugin v3.2.4
|
I am seeing the same issue. My guess is that this has something to do with the use of Powershell on the Windows machines. I filed https://issues.apache.org/jira/browse/MGPG-136 We need one of the committers to dig into this because it's not really easy to debug this problem. |
|
Also note that Powershell has long-standing bugs regarding expanding environment variables: https://stackoverflow.com/a/68758940/14731 It doesn't sound like these will get fixed anytime soon. Can one of the Maybe you guys need to use the quoting workaround mentioned in Stackoverflow in order to fix this on your end. |
|
Hello @ralfkonrad, @cowwoc, Thank you for the above information. We have further investigated the issue and found the following related updates to the maven-gpg-plugin from version 3.2.0 to 3.2.4 compared to 3.1.0: PR #95: Added improvements to passphrase handling to enhance security and compatibility. We have verified that the environment variable is correctly set and visible on Windows using commands like echo %MY_GPG_PASSPHRASE% in Command Prompt or $env:MY_GPG_PASSPHRASE in PowerShell, and it returns the same value as on Linux and macOS. We have also checked the Apache Maven releases and couldn't find any significant changes before the 3.2.0 releases. We are continuing our investigation to find the root cause. |
|
Thanks @aparnajyothi-y for the update. Interesting constellation. If there is anything I can do on my side please let me know. |
|
Hi @cowwoc, @aparnajyothi-y, @mahabaleshwars Thanks for having a look into it. The Please have a look at ralfkonrad/test-mvn-gpg-plugin#30. |
|
Our current result is this: m-gpg-p "prepares" passphrase to be consumed by gpg.exe spawned process via STDIN, same as it happened in 3.1.0 even. Later we received issue MGPG-99 (reported against 3.1.0) that GPG does not "detect" passphrase on STDIN, so starting with 3.2.0 we appended "line separator" to passphrase (to terminate it) as user did same by using unicode in his own settings.xml (later turns out he used LF only). But, it turns out, that GPG uses binary read-mode of STDIN, and expects and handles "\n" only, while Java "line separator" on Windows returns "\r\n". This made passphrase "corrupted" (bad) due presence of extra "\r". GPG on Windows does not handle "\r", or it could use text read-mode of STDIN, where Windows would strip "\r" off for them. All in all, m-gpg-p starting from 3.2.7 should work on Windows as well without any extra hokus pokus. Thanks all! Edit: issue should be updated for future ref: affected are maven-gpg-plugin version range |
|
Release 3.2.7 is on vote (72h): https://lists.apache.org/thread/n49wo8ls7kw8b2ono3xbr4fpfdvtvfy4 |
ralfkonrad
changed the title
actions/setup-java@v4 and maven-gpg-plugin v3.2.4actions/setup-java@v4 and maven-gpg-plugin version range [3.2.0, 3.2.7)
|
Thanks @cstamas for picking this up and for the excellent explanation above. I have updated the title as you suggested and will close this once |
|
And thanks @ralfkonrad for the "infra", the GH reproducer repo! |
|
Hello @ralfkonrad, As per the above comments, the issue of GPG-signing failures of Maven artifacts on Windows runners is not directly related to the actions/setup-java repository. As per @cstamas , maven-gpg-plugin version 3.2.7 release should resolve the issue. Consequently, we are proceeding to close this issue. Please feel free to reach out if you need further assistance or clarification to reopen this issue Thank you! |
|
Sure! 👍 |
Update (2024-09-24)
Affected are
maven-gpg-pluginversion range[3.2.0, 3.2.7), using[3.2.7,)should solve this.Description:
GPG-Signing of maven artifacts fails only on Windows runners using
actions/setup-java@v4and the updatedmaven-gpg-pluginv3.2.0-v3.2.4. However, the previous plugin versionv3.1.0does not cause any problems for no runner.The error is
gpg: signing failed: Bad passphrase, see e.g. here.However, the new plugin versions
v3.2.xwork on my local windows 10 machine.The GPG private key and passphrase provided as secrets obviously work for the old plugin on windows and the new one on ubuntu and macOS.
I'm aware that this is perhaps not (only) an error in this action but perhaps in the
maven-gpg-pluginor in the interaction between them.Task version:
actions/setup-java@v4Platform:
Runner type:
Repro steps:
Here is a repository test-mvn-gpg-plugin which reproduces the error in this workflow build-and-sign.
Expected behavior:
The GPG-signing is successful for all runners.
Actual behavior:
The GPG-signing fails for
windows-2019andwindows-2022runners.The text was updated successfully, but these errors were encountered: