From 18e6c41bfb17876ec26560f4718a26aaf43d5508 Mon Sep 17 00:00:00 2001
From: soloturn <soloturn@gmail.com>
Date: Mon, 14 Feb 2022 12:04:03 +0100
Subject: [PATCH] use gradle in-memory asci-armored keys to sign artifacts

on the commadn line this allows as before:
  gradle -q signMavenPublication signPdfJar -Psigning.gnupg.keyName=... - -Psigning.gnupg.passphrase=...

on github this allows to put the key and password into environment variables:
  ORG_GRADLE_PROJECT_signingKey: ${{ secrets.ARTIFACT_SIGNING_KEY }}
  ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.ARTIFACT_SIGNING_PASSPHRASE }}
  gradle -q signMavenPublication signPdfJar
---
 .github/workflows/ci-gradle.yml | 23 ++++-------------------
 build.gradle.kts                |  8 +++++++-
 2 files changed, 11 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/ci-gradle.yml b/.github/workflows/ci-gradle.yml
index b1b52487e..e8341ab50 100644
--- a/.github/workflows/ci-gradle.yml
+++ b/.github/workflows/ci-gradle.yml
@@ -119,28 +119,13 @@ jobs:
             generateMetadataFileForMavenPublication generatePomFileForMavenPublication \
             -x test
 
-      - name: Setup gpg
-        if: env.ARTIFACT_SIGNING_KEY
-        id: gpg
-        env:
-          ARTIFACT_SIGNING_KEY: ${{ secrets.ARTIFACT_SIGNING_KEY }}
-        run: |
-          echo "Importing key ..."
-          echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --import --import-options import-show
-
-          echo "Getting key id ..."
-          key_id="$(echo "${ARTIFACT_SIGNING_KEY}" | gpg --batch --show-keys --with-colons | awk -F: '$1 == "sec" { print $5 }')"
-          echo "::set-output name=key_id::${key_id}"
-
       - name: Sign artifacts
-        if: env.GPG_KEYNAME
+        if: env.ORG_GRADLE_PROJECT_signingKey
         env:
-          GPG_KEYNAME: ${{ steps.gpg.outputs.key_id }}
-          GPG_PASSPHRASE: ${{ secrets.ARTIFACT_SIGNING_PASSPHRASE }}
+          ORG_GRADLE_PROJECT_signingKey: ${{ secrets.ARTIFACT_SIGNING_KEY }}
+          ORG_GRADLE_PROJECT_signingPassword: ${{ secrets.ARTIFACT_SIGNING_PASSPHRASE }}
         run: |
-          gradle -q signMavenPublication signPdfJar \
-            "-Psigning.gnupg.keyName=${GPG_KEYNAME}" \
-            "-Psigning.gnupg.passphrase=${GPG_PASSPHRASE}"
+          gradle -q signMavenPublication signPdfJar
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v2
diff --git a/build.gradle.kts b/build.gradle.kts
index 257d15296..05691bc39 100644
--- a/build.gradle.kts
+++ b/build.gradle.kts
@@ -122,8 +122,14 @@ val pdfJar by tasks.registering(Jar::class) {
 }
 
 signing {
-	if (hasProperty("signing.gnupg.passphrase")) {
+	if (hasProperty("signing.gnupg.keyName") && hasProperty("signing.gnupg.passphrase")) {
 		useGpgCmd()
+	} else if (hasProperty("signingKey") && hasProperty("signingPassword")) {
+		val signingKey: String? by project
+		val signingPassword: String? by project
+		useInMemoryPgpKeys(signingKey, signingPassword)
+	}
+	if (hasProperty("signing.gnupg.passphrase") || hasProperty("signingPassword")) {
 		sign(publishing.publications["maven"])
 		sign(closureOf<SignOperation> { sign(pdfJar.get()) })
 	}