gpg configuration: private key is now just a secret

- secret is written to a file and imported into gpg keystore
- passphrase is now provided as a secret as well

.github/workflows/build.yml

@@ -55,4 +55,6 @@ jobs:
       shell: bash
       env:
         PMD_CI_SECRET_PASSPHRASE: ${{ secrets.PMD_CI_SECRET_PASSPHRASE }}
+        PMD_CI_GPG_PRIVATE_KEY: ${{ secrets.PMD_CI_GPG_PRIVATE_KEY }}
+        MAVEN_GPG_PASSPHRASE: ${{ secrets.PMD_CI_GPG_PASSPHRASE }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -243,12 +243,15 @@ Used global vars:
 *   PMD_CI_SECRET_PASSPHRASE: This is provided as a github secret
     (`PMD_CI_SECRET_PASSPHRASE: ${{ secrets.PMD_CI_SECRET_PASSPHRASE }}`) in github actions workflow.
     It is used to decrypt further secrets used by other scripts (github releases api, ...)
+*   PMD_CI_GPG_PRIVATE_KEY: The exported private key used for release signing, provided as a secret
+    (`PMD_CI_GPG_PRIVATE_KEY: ${{ secrets.PMD_CI_GPG_PRIVATE_KEY }}`) in github actions workflow.
 
 Test with:
 
 ```
 bash -c 'set -e; \
          export PMD_CI_SECRET_PASSPHRASE=.... ; \
+         export PMD_CI_GPG_PRIVATE_KEY=.... ; \
          export PMD_CI_DEBUG=false ; \
          source inc/setup-secrets.bash ; \
          pmd_ci_setup_secrets_private_env ; \
@@ -456,16 +459,6 @@ export PMD_CI_SECRET_PASSPHRASE=...
 export CI_DEPLOY_USERNAME=...
 export CI_DEPLOY_PASSWORD=...
 
-# CI_SIGN_KEYNAME - GPG key used to sign the release jars before uploading to maven central
-# CI_SIGN_PASSPHRASE
-# the passphrase is also used for the keystore password in pmd-eclipse-plugin for JAR signing.
-export CI_SIGN_KEYNAME=...
-export CI_SIGN_PASSPHRASE=...
-
-# The GPG key passphrase is also exported as env variable MAVEN_GPG_PASSPHRASE to be used
-# by maven-gpg-plugin (https://maven.apache.org/plugins/maven-gpg-plugin/usage.html#sign-artifacts-with-gnupg)
-export MAVEN_GPG_PASSPHRASE="${CI_SIGN_PASSPHRASE}"
-
 export PMD_SF_USER=...
 # https://sourceforge.net/p/forge/documentation/Using%20the%20Release%20API/
 export PMD_SF_APIKEY=...
@@ -489,57 +482,6 @@ export GEM_HOST_API_KEY=...
 export PMD_CI_CHUNK_TOKEN=...
 ```
 
-### release-signing-key-D0BF1D737C9A1C22.asc
-
-Export the private key as "release-signing-key-D0BF1D737C9A1C22" and encrypt it with PMD_CI_SECRET_PASSPHRASE:
-
-```
-printenv PMD_CI_SECRET_PASSPHRASE | gpg --symmetric --cipher-algo AES256 --batch --armor \
-  --passphrase-fd 0 \
-  release-signing-key-D0BF1D737C9A1C22
-```
-
-The public key is available here:
-* <https://keys.openpgp.org/search?q=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22>
-* <https://keyserver.ubuntu.com/pks/lookup?search=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22&fingerprint=on&op=index>
-* <http://pgp.mit.edu/pks/lookup?search=0xD0BF1D737C9A1C22&fingerprint=on&op=index>
-
-And in the file `release-signing-key-D0BF1D737C9A1C22-public.asc`.
-
-**Updating the key:**
-
-From time to time the key needs to be renewed. Import the private and public key into your local gpg keystore
-and renew it. Make sure to renew all subkeys. Then export it again.
-
-*Note:* The private key is additionally secured by a passphrase - see "CI_SIGN_PASSPHRASE".
-
-You can verify the expiration date with `gpg --fingerprint --list-sigs D0BF1D737C9A1C22`:
-
-```
-pub   rsa4096 2019-12-16 [SC] [expires: 2025-12-31]
-      EBB2 41A5 45CB 17C8 7FAC  B2EB D0BF 1D73 7C9A 1C22
-uid           [ultimate] PMD Release Signing Key <releases@pmd-code.org>
-sig 3        D0BF1D737C9A1C22 2024-11-22  PMD Release Signing Key <releases@pmd-code.org>
-sig 3        93450DF2DF9A3FA3 2019-12-16  Andreas Dangel <andreas.dangel@adangel.org>
-sig 3        D0BF1D737C9A1C22 2019-12-16  PMD Release Signing Key <releases@pmd-code.org>
-sig 3        D0BF1D737C9A1C22 2020-11-02  PMD Release Signing Key <releases@pmd-code.org>
-sub   rsa4096 2019-12-16 [E] [expires: 2025-12-31]
-sig          D0BF1D737C9A1C22 2024-11-22  PMD Release Signing Key <releases@pmd-code.org>
-```
-
-Upload the exported *public* key to
-
-* <https://keys.openpgp.org/upload>
-* <https://keyserver.ubuntu.com/#submitKey>
-* <http://pgp.mit.edu/>
-
-Verify the uploaded key expiration date:
-
-`gpg --show-keys release-signing-key-D0BF1D737C9A1C22-public.asc`
-`curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22' | gpg --show-keys`
-`curl 'https://keyserver.ubuntu.com/pks/lookup?search=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22&fingerprint=on&exact=on&options=mr&op=get' | gpg --show-keys`
-`curl 'http://pgp.mit.edu/pks/lookup?op=get&search=0xD0BF1D737C9A1C22' | gpg --show-keys`
-
 ### pmd.github.io_deploy_key.asc
 
 Created with `ssh-keygen -t ed25519 -C "ssh key for pmd. used for github actions to push to pmd.github.io" -f pmd.github.io_deploy_key`.
@@ -671,6 +613,90 @@ you would need to manually publish the staging repo. See also the section below
 
 ## Miscellaneous
 
+### Release Signing Keys
+
+For signing the artifacts, that are published in Maven Central, we use GPG. The key fingerprint
+is `EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22`:
+
+```
+pub   rsa4096/D0BF1D737C9A1C22 2019-12-16 [SC] [expires: 2025-12-31]
+      EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22
+uid                 [ultimate] PMD Release Signing Key <releases@pmd-code.org>
+sub   rsa4096/1DAA314BF520D0A8 2019-12-16 [E] [expires: 2025-12-31]
+```
+
+The public key is available here:
+* <https://keys.openpgp.org/search?q=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22>
+* <https://keyserver.ubuntu.com/pks/lookup?search=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22&fingerprint=on&op=index>
+* <http://pgp.mit.edu/pks/lookup?search=0xD0BF1D737C9A1C22&fingerprint=on&op=index>
+
+And in the file `release-signing-key-D0BF1D737C9A1C22-public.asc`.
+
+**Private key:**
+
+The corresponding private key is configured as a [`secret`](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets)
+for GitHub Action on the organization level. This means, the secret is available for all repositories.
+The secret name is `PMD_CI_GPG_PRIVATE_KEY`.
+
+For setting up, export the secret key and copy-paste it into a new secret:
+
+```
+gpg --armor --export-secret-key EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22 | wl-copy
+```
+
+(instead of wl-copy, use xclip or pbcopy, depending on your os).
+
+This private key will be imported by the script `setup-secrets.bash`.
+
+Note 1: In order to use the key later on, the passphrase is needed. This is also setup as a secret:
+`PMD_CI_GPG_PASSPHRASE`. This secret is then exported as "MAVEN_GPG_PASSPHRASE" where needed
+(`MAVEN_GPG_PASSPHRASE: ${{ secrets.PMD_CI_GPG_PASSPHRASE }}`) in github actions workflows.
+See also <https://maven.apache.org/plugins/maven-gpg-plugin/usage.html#sign-artifacts-with-gnupg>.
+
+
+Note 2: The private key is now only secured by the passphrase. It is stored as a GitHub Actions
+secret and temporarily written to a file in order to import it. It is not anymore committed in
+this build-tools repository and is therefore not encrypted with another key (e.g. PMD_CI_SECRET_PASSPHRASE). 
+
+**Updating the key:**
+
+From time to time the key needs to be renewed, passphrase needs to be changed or a whole key needs to
+be replaced.
+
+For renewing or changing the passphrase, import the private and public key into your local gpg keystore
+and renew it. Make sure to renew all subkeys. Then export it again.
+
+For replacing, generate a new key, just export it.
+
+You can verify the expiration date with `gpg --fingerprint --list-sigs D0BF1D737C9A1C22`:
+
+```
+pub   rsa4096 2019-12-16 [SC] [expires: 2025-12-31]
+      EBB2 41A5 45CB 17C8 7FAC  B2EB D0BF 1D73 7C9A 1C22
+uid           [ultimate] PMD Release Signing Key <releases@pmd-code.org>
+sig 3        D0BF1D737C9A1C22 2024-11-22  PMD Release Signing Key <releases@pmd-code.org>
+sig 3        93450DF2DF9A3FA3 2019-12-16  Andreas Dangel <andreas.dangel@adangel.org>
+sig 3        D0BF1D737C9A1C22 2019-12-16  PMD Release Signing Key <releases@pmd-code.org>
+sig 3        D0BF1D737C9A1C22 2020-11-02  PMD Release Signing Key <releases@pmd-code.org>
+sub   rsa4096 2019-12-16 [E] [expires: 2025-12-31]
+sig          D0BF1D737C9A1C22 2024-11-22  PMD Release Signing Key <releases@pmd-code.org>
+```
+
+Upload the exported *public* key to
+
+* <https://keys.openpgp.org/upload>
+* <https://keyserver.ubuntu.com/#submitKey>
+* <http://pgp.mit.edu/>
+
+Verify the uploaded key expiration date:
+
+`gpg --show-keys release-signing-key-D0BF1D737C9A1C22-public.asc`
+`curl 'https://keys.openpgp.org/vks/v1/by-fingerprint/EBB241A545CB17C87FACB2EBD0BF1D737C9A1C22' | gpg --show-keys`
+`curl 'https://keyserver.ubuntu.com/pks/lookup?search=0xEBB241A545CB17C87FACB2EBD0BF1D737C9A1C22&fingerprint=on&exact=on&options=mr&op=get' | gpg --show-keys`
+`curl 'http://pgp.mit.edu/pks/lookup?op=get&search=0xD0BF1D737C9A1C22' | gpg --show-keys`
+
+Don't forget to update the secret `PMD_CI_GPG_PRIVATE_KEY` with the renewed private key.
+
 ### Nexus Staging Maven Plugin
 
 See <https://github.com/sonatype/nexus-maven-plugins/tree/master/staging/maven-plugin>.

scripts/files/private-env.asc

@@ -1,30 +1,24 @@
 -----BEGIN PGP MESSAGE-----
 
-jA0ECQMCIZQjLRqA9pX/0uoBy+8QE0KnDKSyt4gO8KZ1wO8eerrmtjQifWddIUq4
-Vt3jpR8XrXneqJwiX9mZZG+sfOjXQWDDQ6kYtGIE8YeT5dxM23H3rABwiy+10qVP
-c7WeuEohfbU2ra1A1UZ3wY/PXTyLplExQ+M2sBAtBR6RkzEox7nrd2Z35KA2XY8v
-Q3r6ZZd8YOMijegdPQTT5z9vnSbiC7cl+BOmHy5v88MhlPXHkQVFiC0dPoZxI4wG
-Q37tH/o00UaEL0BGbCPq/cx6sj2siJZRb7CnRD0/q5ZBgCM7OO1im/8rWGe6msoM
-PjEu8WbQwxl2asXGemgncuTzRznWFSKXYwaLP65cZODJ6BX6uW+fLbVJWb+F0NUm
-q+wL4kTa+AB0yuzA9KMc9d8OgFWqd6P10pbpgWxvi5kDc+SSvmKor6HApzSeL9lP
-9mtmo+BHgRq6RyISm3jAFo6thtG/dE/UOHtAaA05xYkY6RP5etxZVQ+J4La7hICj
-aI7v8mzM/FXKesRtIGH3l8B37mOiSLtS6K1abomyuALJseLcfxkZXZQT0LyXQ47r
-ODKxANuoXyV09UM+d8WTZy89lobXx61gkhgyawabs/tPnA3DLolG+KHt+G3uOCh+
-uqgkFULUHhit/Kkx67fGAiNeo6uo+r+L4jbMBGASyb2QotPmgJ73IopCHCxd6HTL
-N1/Y+yhSmjuTS9aR+CKfeH2E5KoC6roPuIuQb4w7GZRCrCHlM5LxzjBOLSD9elKd
-XZqEJcI4Po3cQakbPWx++kDHjkXo7nu/wrzNIW3qCTxaesBP3G4pct99Z+jw+wkv
-oCxu5eO6r3wjQiHTHHER4+6w+SEMW9GafDbY5Z11moeRz6xUPdR8ndmKEugDX7gg
-P7j8Smaiz5GeZh9G4xmotaHJOiG9SiC783iytYRf1asO6Feoohll1cTenpqo0ZDs
-Q0c6XsXbyJlZ3GGtTPkdtPlA1Y+5oZZJc5HlOS5dfiqvIXgrK8OpF2GdvtJjkHua
-KKpX6ffAiQGSYVUfBIFM5vDAVwIA3x0Nyo9ceAPFk/1rymiQWNoSA1DBgd0btvgD
-xEXp/ZnNMjAXavgRMZ1r88mNM0EooPTUj+WB3DKC8Udi55/oVzAhpO95qmJbPJFm
-FwcsEUNZDh0k4lTqRSR/zTXBxTKwvsAWLCBWqmZxytv54fsACUSuChUuW4airRsN
-ymPH6VNlLZ6M5at+wh+zuUed5wODLYU9TTsb/ldqg1LY9zFqqtrmnlXE8VnqdS0j
-rwKA6CrSCCB3X8eLHuUNl1bRUgyDaaL3lRLttFwIN/+JvNDSr3uBabYh7DoMaShr
-Lqaen30JZcvT/rwLTTFCIOugXtqfwy5TWenGND2XrNvEpP5uRwkVJoXbkEejGk0d
-Q7W3775AMssmMl4GzE+nWyxd0wTs3K3udzFdVuGHrCVs93CIfGhCg/6BBdKITHR0
-6CiIoEhIKMHXXOuV3t6Sgtbr53yawaYwgQ2agOYmZ2oIPbWQN08t+o8ZUDEPD420
-Le9GPDe5nH/3uSInoRaEFx1n7UUm5XLgs/qEbsjfpJ0Ah0ZTRHmjUiIDReem3HYz
-uiXZBkk4
-=JA2g
+jA0ECQMC1rX2OnC4kM3/0ukB8X+sMFob8hUO32BTsp9Hxgrbwx4oi+IQtW0mtHDq
+cDAxnRMliqdNqNJL9BUK3WyMCAyLdrP2tA1HOdxLzdLoF+2HgClZqUYZ2CKKCSnr
+ALykv+MJ1A3rgNJ786IcpaWLSsrVVj8tBrCB3cVVIhN4nJJ4Z6hHpHk8KILbxAXD
+kIIEYIAfHHgoCuHvtn2m/iIGOjsZuDwY5hI0zZk+D+IVekGBnIP7v/aBdw2odKiY
+c0BnPdBZtgKBz7I0QpUPg0cNaAE0pfgL58smFmRANUFRDn7TdKv7OL+jEAx9Ya6l
+1iwDojHSF+8FtKWw08272wmcGcsFefQ1DiceTf/pEKiC2zaUpzWlSPTVyV8/MVq7
+Qi085NO2GigaorUpfJT1QPqGVM7fHof5Y+5AqRqPXsZGXyVQi4FUlFSY1hYPp5Hx
+vL5Ts7poNjh8Zgy6Llgfx3ErzhO0kuVbaSlJKZeCkTZB+21Bgl6VDFDqPi/Dv+gd
+5mOClpzE44aayHLbg/BbyCdaj1rMi8OZbxEJmqtvVidGl05HmxAaRhxY9/bbpVkq
+z8kz/gg4bPeiiKA3rg3G10Lwj9UwaPsAAppn2pQU3CGvjOSBfPV60HunRPsPwVdj
+25M38FbCDw734VVKm796cIqu+DUEXIH2nTjJ0gkvc11PTxGOs93DjOEJizgzeNw5
+R8Dm25J9OjjWv4Yjos1H22VAa2YUj6MO8exx5v+rUfHBf6Mk1c0Y67K1E8p3pq7/
+8wnkBKvH+TlTos315mZyXZ5jMwGQYJbY4JW7ukiHDNmN5Xmm/pZkBa/GId+hLmhV
+uP0285H0VMDzsQRIVpDPuoguae2Yvm4AHQxYQGjxCmcU5e4AIipYkSYwsQYMZb5/
+oQPXBnL4N3yxtV5/pl3KGHaLKioE1LXuBooOAsk8/Pc2nBxI6tXjjZ3IgI2Rf0kR
+qU8dzrMC1PGPm48l+jQaj2AQN86p9P1UN1bwUUO7tVx4lk/7CTLvDG72hx8TxHtg
+EjGtoT7rXdMypbcwIAWYqr2GD49Ig1naefl3NvXwpFwJekw9H3c6lxQv4D9H+ZY0
+8G2iAQik2ztcFEm5X70vR+RSstjKsvv+Vub6fQHSFJ06RQi8NRUcq2ctJZByJdbs
+hb+6f4ezx+ahwC3W+vYrLGAbePU2KN4vOO3V7nfWR0tpXVBwflkHJfSc4GIu0wf4
+ggXMeWxS37tPdvhsdFCAvv8wuyynEVOzF9U4WgH79hg9KSLJpQhp0qQ=
+=BdYe
 -----END PGP MESSAGE-----