use gradle in-memory asci-armored keys to sign artifacts

on the commadn line this allows as before: gradle -q signMavenPublication signPdfJar -Psigning.gnupg.keyName=... - -Psigning.gnupg.passphrase=... on github this allows to put the key and password into environment variables: ORG_GRADLE_PROJECT_signingKey: ${{ secrets.ARTIFACT_SIGNING_KEY }} ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.ARTIFACT_SIGNING_PASSPHRASE }} gradle -q signMavenPublication signPdfJar
2024-12-22 02:49:06 +00:00 · 2022-02-14 12:04:03 +01:00 · 2022-02-14 12:04:03 +01:00 · 18e6c41bfb
commit 18e6c41bfb
parent 92e955ef03
2 changed files with 11 additions and 20 deletions
--- a/.github/workflows/ci-gradle.yml
+++ b/.github/workflows/ci-gradle.yml
@ -119,28 +119,13 @@ jobs:
            generateMetadataFileForMavenPublication generatePomFileForMavenPublication \
            -x test

-      - name: Setup gpg
-        if: env.ARTIFACT_SIGNING_KEY
-        id: gpg
-        env:
-          ARTIFACT_SIGNING_KEY: ${{ secrets.ARTIFACT_SIGNING_KEY }}
-        run: |
-          echo "Importing key ..."
-          echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --import --import-options import-show
-
-          echo "Getting key id ..."
-          key_id="$(echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --show-keys --with-colons | awk -F: '$1 == "sec" { print $5 }')"
-          echo "::set-output name=key_id::${key_id}"
-
      - name: Sign artifacts
-        if: env.GPG_KEYNAME
+        if: env.ORG_GRADLE_PROJECT_signingKey
        env:
-          GPG_KEYNAME: ${{ steps.gpg.outputs.key_id }}
-          GPG_PASSPHRASE: ${{ secrets.ARTIFACT_SIGNING_PASSPHRASE }}
+          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.ARTIFACT_SIGNING_KEY }}
+          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.ARTIFACT_SIGNING_PASSPHRASE }}
        run: |
-          gradle -q signMavenPublication signPdfJar \
-            "-Psigning.gnupg.keyName=${GPG_KEYNAME}" \
-            "-Psigning.gnupg.passphrase=${GPG_PASSPHRASE}"
+          gradle -q signMavenPublication signPdfJar

      - name: Upload artifacts
        uses: actions/upload-artifact@v2
--- a/build.gradle.kts
+++ b/build.gradle.kts
@ -122,8 +122,14 @@ val pdfJar by tasks.registering(Jar::class) {
 }

 signing {
-	if (hasProperty("signing.gnupg.passphrase")) {
+	if (hasProperty("signing.gnupg.keyName") && hasProperty("signing.gnupg.passphrase")) {
 		useGpgCmd()
+	} else if (hasProperty("signingKey") && hasProperty("signingPassword")) {
+		val signingKey: String? by project
+		val signingPassword: String? by project
+		useInMemoryPgpKeys(signingKey, signingPassword)
+	}
+	if (hasProperty("signing.gnupg.passphrase") || hasProperty("signingPassword")) {
 		sign(publishing.publications["maven"])
 		sign(closureOf<SignOperation> { sign(pdfJar.get()) })
 	}