crazy-max / ghaction-import-gpg Goto Github PK

If you try to create a commit with this action, it will fail if your GPG key has a passphrase:

$ git add .
$ git commit -S -m "Signed commit"
error: gpg failed to sign the data
fatal: failed to write commit object
##[error]Process completed with exit code 128.

gpg-preset-passphrase seeds the internal cache of gpg-agent as expected with this action but looks like there is something wrong with cache lookup or maybe pinentry-program needs to be tuned.

A passphrase should be allowed to be used. PRovide the invocation of gpg-preset-passphrase to set the passphrase for the session.

Hey! 👋

Thanks for this GitHub Action.

Behaviour

Actual behaviour

I can't sign commits in GitHub Actions.

Following the README, here's what I did:

• export the GPG private key as an ASCII armored version to your clipboard (I'm on Ubuntu 21.04)
  gpg --armor --export-secret-key [email protected] -w0 | xclip

• Set GPG_PRIVATE_KEY in my repo secrets

• Have a workflow file like this:

name: 'Release'

on:
  push:
    branches: [master, develop]
  pull_request:
    branches: [master, develop]

jobs:
  release:
    runs-on: 'ubuntu-latest'
    steps:
      - uses: 'actions/[email protected]'

      - name: 'Import GPG key'
        uses: 'crazy-max/[email protected]'
        with:
          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
          git-user-signingkey: true
          git-commit-gpgsign: true

      -
        name: GPG user IDs
        run: |
          echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
          echo "keyid:       ${{ steps.import_gpg.outputs.keyid }}"
          echo "name:        ${{ steps.import_gpg.outputs.name }}"
          echo "email:       ${{ steps.import_gpg.outputs.email }}"

      - name: Sign commit and push changes
        run: |
          printf 'signed commit\n' > bar.txt
          git add .
          git commit -S -m "chore: this commit should be gpg signed! [skip ci]"
          git push

I have created a temporary GitHub repo to try to sign commits, I'll remove it later (when hopefully it works).

• Repository URL (if public): https://github.com/Divlo/test-release-app

There are lot of commits, because actually I tried everything but nothing seems to work.
Latest run : https://github.com/Divlo/test-release-app/runs/3377173175

As you can, the step called GPG user IDs prints nothing.
And there is no error with Import GPG key
It correctly create bar.txt and commit the file but the commit is not signed.

I'm using the GPG_PRIVATE_KEY both locally and for this GitHub Action.
All my commits created and pushed locally are signed but not the ones created with the GitHub Action.
I generated the key with $ gpg --full-generate-key without passphrase following https://docs.github.com/en/github/authenticating-to-github/managing-commit-signature-verification/generating-a-new-gpg-key.

I tried to use crazy-max/ghaction-import-gpg@openpgp5 instead of crazy-max/[email protected] and I've got this error: Error: Key block contains multiple keys
But it only contains 1 key, it works locally and with 3.2.0, there is no error.

I would love to have some help, thanks a lot! 😄

Behaviour

Steps to reproduce this issue

1. Create a key with at least 2 UIDs
2. Use the key with this action, but set git_committer_email to any UID except the first one (when viewed with gpg -K)

Expected behaviour

This action should be able to seamlessly use any UID from the gpg key

Actual behaviour

Instead we get an error:

Committer email "[email protected]" (name: "txtsd") does not match GPG private key email "[email protected]" (name: "txtsd")

For the moment this action only takes care of importing the GPG key. In order to be able to use it, the commit.gpgsign config must also be enabled for the repo and the user's key ID must be inserted:

git config user.signingkey '<KEYID>'
git config commit.gpgsign true

Expected behaviour

The GPG should be imported

Actual behaviour

The GPG Import throws incorrect email (I've confirmed it's correct), and if I don't set the email and uses the one in the private key, it fails to sign the commits, using semantic-release.

Configuration

• Repository URL (if public): https://github.com/Colonise/Config
• Build URL (if public): https://github.com/Colonise/Config/actions

name: Node.js CI

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master

env:
  CI: true
  CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
  COLONISE_PACKAGE_NAME: ${{ secrets.COLONISE_PACKAGE_NAME }}
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  GIT_AUTHOR_NAME: ${{ secrets.GIT_NAME }}
  GIT_AUTHOR_EMAIL: ${{ secrets.GIT_EMAIL }}
  GIT_COMMITTER_NAME: ${{ secrets.GIT_NAME }}
  GIT_COMMITTER_EMAIL: ${{ secrets.GIT_EMAIL }}

jobs:
  lint:
    name: Lint
    runs-on: ubuntu-latest

    steps:
    - name: Checkout Repository
      uses: actions/[email protected]

    - name: Setup Node.js
      uses: actions/[email protected]
      with:
        node-version: 14

    - name: Install dependencies
      run: |
        # Run NPM Clean Install
        npm ci

    - name: Run Linters
      run: |
        # Run NPM lint script
        npm run lint

  build:
    name: Build
    needs: [lint]
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [12.x, 13.x, 14.x]

    steps:
    - name: Checkout Repository
      uses: actions/[email protected]

    - name: Setup Node.js
      uses: actions/[email protected]
      with:
        node-version: ${{ matrix.node-version }}

    - name: Install dependencies
      run: |
        # Run NPM Clean Install
        npm ci

    - name: Run Build
      run: |
        # Run NPM build script
        npm run build

  test:
    name: Test
    needs: [lint, build]
    runs-on: ubuntu-latest

    strategy:
      matrix:
        node-version: [12.x, 13.x, 14.x]

    steps:
    - name: Checkout Repository
      uses: actions/[email protected]

    - name: Setup Node.js with ${{ matrix.node-version }}
      uses: actions/[email protected]
      with:
        node-version: ${{ matrix.node-version }}

    - name: Install dependencies
      run: |
        # Run NPM Clean Install
        npm ci

    - name: Run Unit Tests
      run: |
        # Run NPM test script
        npm run test

  coverage:
    name: Test Coverage
    needs: [lint, build, test]
    runs-on: ubuntu-latest

    steps:
    - name: Checkout Repository
      uses: actions/[email protected]

    - name: Setup Node.js
      uses: actions/[email protected]
      with:
        node-version: 14

    - name: Install dependencies
      run: |
        # Run NPM Clean Install
        npm ci

    - name: Run Test Coverage and Code Climate
      uses: paambaati/[email protected]
      with:
        coverageCommand: npm run coverage
        debug: true

  release:
    name: Release
    needs: [lint, build, test]
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/[email protected]

      - name: Setup Node.js
        uses: actions/[email protected]
        with:
          node-version: 14

      - name: Install dependencies
        run: npm ci

      - name: Run Build
        run: npm run distribute

      - name: Zip Build
        run: zip -r build.zip ./distribute/

      - name: Import GPG key
        uses: crazy-max/[email protected]
        with:
          gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}
          git-committer-name: ${{ secrets.GIT_NAME }}
          git-committer-email: ${{ secrets.GIT_EMAIL }}
          git-user-signingkey: true
          git-commit-gpgsign: true
          git-tag-gpgsign: true
          git-push-gpgsign: true

      - name: Run Semantic Release
        run: npx semantic-release

Logs

logs_180.zip

Hello! Thanks for github action crazy-max/ghaction-import-gpg

1. gpg --export-secret-keys 9282DE1880469BB2EFE0CA4344850777D482CAC8 | base64 > private.key
2. Create github secret GPG_SIGNING_KEY from private.key and GPG_PASSPHRASE

Github action

      - name: Import GPG key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v4
        with:
          gpg_private_key: ${{ secrets.GPG_SIGNING_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

Error:

Run crazy-max/ghaction-import-gpg@v4
  with:
    gpg_private_key: ***
    passphrase: ***
    git_config_global: false
    git_user_signingkey: false
    git_commit_gpgsign: false
    git_tag_gpgsign: false
    git_push_gpgsign: if-asked
    workdir: .
GnuPG info
  Version    : 2.2.[1] (libgcrypt 1.8.5)
  Libdir     : /usr/lib/x86_6[4]-linux-gnu/gnupg
  Libexecdir : /usr/lib/gnupg
  Datadir    : /usr/share/gnupg
  Homedir    : /home/runner/.gnupg
Error: Misformed armored text

Code https://github.com/Drill4J/logger-api/blob/master/.github/workflows/publish.yml
Log https://github.com/Drill4J/logger-api/runs/5184058495?check_suite_focus=true

Behaviour

Steps to reproduce this issue

      - name: "Import GPG key"
        id: "import_gpg"
        uses: "crazy-max/ghaction-import-gpg@v3"
        with:
          gpg-private-key: "${{ secrets.GPG_PRIVATE_KEY }}"

      - name: "Sign PHAR file"
        run: |
          export GPG_TTY="$(tty)"
          gpg --detach-sign --output build/bin/rector.phar.asc build/bin/rector.phar

Expected behaviour

I'd like to sign a PHAR file.

Actual behaviour

gpg: signing failed: No such file or directory

Configuration

https://github.com/szepeviktor/rector-phar/runs/1652311216?check_suite_focus=true

The github build states:

Node.js 12 actions are deprecated. Please update the following actions to use Node.js 16: crazy-max/ghaction-import-gpg@v4. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/.

Any plans to update?

Hey,

I'm using your (awesome!) action in a workflow responsible for two different git repos, the root repo, and a git submodule repo which is a subdirectory in the root repo.

I'm using the same key for signing commits in both repos.

Unfortunately, your git config routine responsible for setting various properties, for example user.email, user.name, user.signingkey or commit.gpgsign does not pass the --global argument, in result being applied only to the repository in the workdir specified, which is my root repository by default.

My suggestion: add a boolean value, such as global: true in with properties, that would cause the --global argument to be passed to each call of git config.

This would allow me to use one import call for both of my repos, as opposed to my current approach which executes two different import calls with different workdir in order to set the git config values twice, one for each (local) repo.

See https://git-scm.com/docs/git-config documentation for more info on --global option.

Thank you in advance for your consideration in regards to his suggestion.

Behaviour

The action failed to run and raised Error: ENOENT: no such file or directory, open '.gnupg/gpg-agent.conf' when trying to configure the GnuPG agent

Steps to reproduce this issue

I used the action for signing tags in the following step :

      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.BOT_GPG_PASSPHRASE }}
          git_user_signingkey: true
          git_tag_gpgsign: true

Expected behaviour

The action should work without raising an issue. If the file does not exist, I believe it should be created instead.

Actual behaviour

The following error was raised : Error: ENOENT: no such file or directory, open '.gnupg/gpg-agent.conf'

Configuration

• Repository URL (if public): https://github.com/zama-ai/concrete-ml
• Build URL (if public): https://github.com/zama-ai/concrete-ml/actions/runs/6010454835/job/16304105780

Complete yaml can be found here.

Logs

Run crazy-max/ghaction-import-gpg@v5
  with:
    gpg_private_key: ***
  
    passphrase: ***
    git_user_signingkey: true
    git_tag_gpgsign: true
    git_config_global: false
    git_commit_gpgsign: false
    git_push_gpgsign: if-asked
    workdir: .
  env:
    ACTION_RUN_URL: https://github.com/zama-ai/concrete-ml/actions/runs/6010454835
    IS_RC: True
    GIT_TAG: v1.2.0-rc0
    RELEASE_BRANCH_NAME: release/1.2.x
GnuPG info
  Version    : 2.2.19 (libgcrypt 1.8.5)
  Libdir     : /usr/lib/x86_64-linux-gnu/gnupg
  Libexecdir : /usr/lib/gnupg
  Datadir    : /usr/share/gnupg
  Homedir    : /root/.gnupg
GPG private key info
  Fingerprint  : 05BB1A52365C60244EB41DB3818604E7F89DE1C0
  KeyID        : 818604E7F89DE1C0
  Name         : Zama Bot
  Email        : [email protected]
  CreationTime : Tue Aug 29 2023 10:23:37 GMT+0200 (Central European Summer Time)
Fingerprint to use
  05BB1A52365C60244EB41DB3818604E7F89DE1C0
Importing GPG private key
  gpg: directory '/root/.gnupg' created
  gpg: keybox '/root/.gnupg/pubring.kbx' created
  gpg: /root/.gnupg/trustdb.gpg: trustdb created
  gpg: key 818604E7F89DE1C0: public key "Zama Bot (GPG key to enable the Zama bot to sign git commits) <[email protected]>" imported
  gpg: key 818604E7F89DE1C0: secret key imported
  gpg: Total number processed: 1
  gpg:               imported: 1
  gpg:       secret keys read: 1
  gpg:   secret keys imported: 1
Configuring GnuPG agent
Error: ENOENT: no such file or directory, open '.gnupg/gpg-agent.conf'

Behaviour

Steps to reproduce this issue

1. Create a key with subkeys.
2. Add a subkey for signing using ecdsa.
3. Add a subkey for signing using RSA.
4. export the key using ascii armor. gpg --armor --export-secret-keys KEYID | pbcopy
5. add the key as a secret for this workflow.
6. add the passphrase as a secret in github for this workflow.

In this workflow I am selecting the RSA subkey for signing.

Expected behaviour

The key should successfully load into the gpg-agent.

Actual behaviour

Running this workflow fails with following log

Configuring GnuPG agent
::group::Getting keygrip for fingerprint
Getting keygrip for fingerprint
Error: ERR 67108933 Not implemented <GPG Agent>

Configuration

• Repository URL (if public): https://github.com/marcofranssen/terraform-provider-curl
• Build URL (if public): https://github.com/marcofranssen/terraform-provider-curl/actions/runs/2785634489

name: release
on:
  push:

jobs:
  release-provider:
    runs-on: ubuntu-22.04

    permissions:
      contents: write

    steps:
      - name: Checkout
        uses: actions/[email protected]
        with:
          fetch-depth: 0

      - name: Set up Go
        uses: actions/[email protected]
        with:
          go-version-file: 'go.mod'
          check-latest: true
          cache: true

      - name: Import GPG key
        uses: crazy-max/[email protected]
        id: gpg
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.PASSPHRASE }}
          fingerprint: EA0A37E819AFBAE6

    …
    …
    …

Logs

See attached build URL.

Behaviour

When I use this action to set up gpg, it imports the private key just fine, but it doesn't set any trust.

For the deployment that I am trying to set up, I want to be able to both sign and verify with the key

Steps to reproduce this issue

1. use your example setup
2. gpg sign a file from my repo
3. gpg --verify that signature

Actual behaviour

gpg: Signature made Wed Nov 24 19:03:33 2021 UTC
gpg:                using RSA key xxxxx
gpg: Good signature from "Peter's Signing Key" [unknown]
gpg:                 aka "Peter <[email protected]>" [unknown]
gpg:                 aka "Peter <[email protected]>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.

Expected behaviour

It should trust my own key, something like:

gpg: Signature made Wed Nov 24 19:35:18 2021 UTC
gpg:                using RSA key DEADBEEF
gpg: Good signature from "Peter's Signing Key" [ultimate]
gpg:                 aka "Peter <[email protected]>" [ultimate]
gpg:                 aka "Peter <[email protected]>" [ultimate]

Configuration

# This is a basic workflow to help you get started with Actions

name: perl-deploy-gpg

# Controls when the workflow will run
on:
  # Triggers the workflow on push or pull request events but only for the main branch
  push:
    tags: '*'
    branches: '*'

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "build"
  build:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v2

      # Set up GPG per https://stackoverflow.com/a/66457517/5508606 ; updated by most recent example in action repo
      - name: Import GPG Key
        id: import_gpg
        uses: crazy-max/ghaction-import-gpg@v4
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

      # official example
      - name: GPG user IDs
        run: |
          echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
          echo "keyid:       ${{ steps.import_gpg.outputs.keyid }}"
          echo "name:        ${{ steps.import_gpg.outputs.name }}"
          echo "email:       ${{ steps.import_gpg.outputs.email }}"

      # my experiments
      - name: My experiments
        run: |
          echo detach sign
          gpg --local-user 0xDEADBEEF --detach-sign --armor Makefile.PL
          
          echo verify
          gpg --verify Makefile.PL.asc Makefile.PL

Workaround

if I add the following step after the Import GPG Key step, then I get the "expected behavior"

      # trust myself
      - name: Update Trust = Trust myself
        id: trust_myself
        run: |
          gpg --no-tty --command-fd 0 --edit-key 0xDEADBEEF << EOTRUST
          trust
          5
          y
          quit
          EOTRUST

It would be nice if your action set the trust by default, or at least allowed a with: parameter to set the trustlevel -- accepting the values of 1-5

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately

Behaviour

Action runs and fails with

17:16:34.041447 git.c:439               trace: built-in: git commit -m '[NO-JIRA] Update CODEOWNERS file'
17:16:34.048912 run-command.c:655       trace: run_command: gpg --status-fd=2 -bsau EF1A6F3A62520D9C
error: gpg failed to sign the data:
gpg: skipped "EF1A6F3A62520D9C": No secret key
[GNUPG:] INV_SGNR 9 EF1A6F3A62520D9C
[GNUPG:] FAILURE sign [17](https://github.com/XXXXXXXXXXX#step:9:18)
gpg: signing failed: No secret key

When reviewing the logs the keygrip is empty

Run crazy-max/ghaction-import-gpg@v5
  with:
    gpg_private_key: ***
    passphrase: ***
    git_config_global: true
    git_user_signingkey: true
    git_commit_gpgsign: true
    git_tag_gpgsign: false
    git_push_gpgsign: if-asked
    workdir: .
GnuPG info
  Version    : [2](https://#step:7:2).2.27 (libgcrypt 1.9.4)
  Libdir     : /usr/lib/x86_64-linux-gnu/gnupg
  Libexecdir : /usr/lib/gnupg
  Datadir    : /usr/share/gnupg
  Homedir    : /home/runner/.gnupg
GPG private key info
  Fingerprint  : CAD7ADA00BA95F757[3](https://#step:7:3)A6B291EF1A6F3A62[5](#step:7:5)20D9C
  KeyID        : EF1A[6](https://#step:7:6)F3A62520D9C
  Name         : camelotMachineUser
  Email        : [email protected]
  CreationTime : Tue Apr 18 2023 1[7](#step:7:7):07:23 GMT+0000 (Coordinated Universal Time)
Fingerprint to use
  CAD7ADA00BA[9](https://#step:7:9)5F7573A6B291EF1A6F3A625[20](https://#step:7:22)D9C
Importing GPG private key
  gpg: directory '/home/runner/.gnupg' created
  gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
  gpg: /home/runner/.gnupg/trustdb.gpg: trustdb created
  gpg: key EF1A6F3A62520D9C: public key "camelotMachineUser (BOT account for camelot builds) <[email protected]>" imported
  gpg: Total number processed: 1
  gpg:               imported: 1
Configuring GnuPG agent
Getting keygrips
Setting outputs
  fingerprint=CAD7ADA00BA95F7573A6B291EF1A6F3A62520D9C
  keyid=EF1A6F3A6[25](XXXXXXXXX9#step:7:29)20D9C
  name=XXXXXXXXXX
  [email protected]
Setting GPG signing keyID for this Git repository
Configuring Git committer (XXXXXX <[email protected]>)
Sign all commits automatically
Sign all pushes automatically

Steps to reproduce this issue

1. Created a new GPG key for a bot account, added to the account + created the required github secret for the key + passphrase
2. Create the github action
3. run workflow without the error

Expected behaviour

Tell me what should happen
gpg -K should probably list keys but it doesn't
Should be able to sign commits

Actual behaviour

Fails with an error

17:16:34.041447 git.c:439               trace: built-in: git commit -m '[NO-JIRA] Update CODEOWNERS file'
17:16:34.048912 run-command.c:655       trace: run_command: gpg --status-fd=2 -bsau EF1A6F3A62520D9C
error: gpg failed to sign the data:
gpg: skipped "EF1A6F3A62520D9C": No secret key
[GNUPG:] INV_SGNR 9 EF1A6F3A62520D9C
[GNUPG:] FAILURE sign [17](https://github.com/XXXXXXXXXXX#step:9:18)
gpg: signing failed: No secret key

Configuration

• Repository URL (if public): private
• Build URL (if public): private

      - name: Import bot's GPG key for signing commits
        id: import-gpg
        uses: crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ secrets.MACHINEUSER_GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.MACHINEUSER_GPG_PASSPHRASE }}
          git_config_global: true
          git_user_signingkey: true
          git_commit_gpgsign: true
      - name: List keys
        run: gpg -K
      - name: Commit changes
        if: steps.verify-changed-files.outputs.files_changed == 'true'
        run: |
          git add .github/CODEOWNERS
          git add README.md
          export GIT_TRACE=1
          git commit -m "[NO-JIRA] Update CODEOWNERS file"

Logs

Download the log file of your build
and attach it to this issue.

Hi,

I am unable to use your github action. Below is the workflow:-

on:
  push:
    branches: [master]
    paths:
      - '.github/project.yaml'

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      -
        name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v1
        with:
          git_gpgsign: true
        env:
          SIGNING_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}

Below is the error I am getting:-

internal/modules/cjs/loader.js:800
    throw err;
    ^

Error: Cannot find module 'asn1.js'
Require stack:
- /home/runner/work/_actions/crazy-max/ghaction-import-gpg/v1/dist/index.js
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:797:15)
    at Function.Module._load (internal/modules/cjs/loader.js:690:27)
    at Module.require (internal/modules/cjs/loader.js:852:19)
    at require (internal/modules/cjs/helpers.js:74:18)
    at o (/home/runner/work/_actions/crazy-max/ghaction-import-gpg/v1/dist/index.js:1892:200)
    at /home/runner/work/_actions/crazy-max/ghaction-import-gpg/v1/dist/index.js:1892:391
    at Object.<anonymous> (/home/runner/work/_actions/crazy-max/ghaction-import-gpg/v1/dist/index.js:32512:27)
    at Object.108.../../config (/home/runner/work/_actions/crazy-max/ghaction-import-gpg/v1/dist/index.js:33029:4)
    at o (/home/runner/work/_actions/crazy-max/ghaction-import-gpg/v1/dist/index.js:1892:340)
    at /home/runner/work/_actions/crazy-max/ghaction-import-gpg/v1/dist/index.js:1892:391 {
  code: 'MODULE_NOT_FOUND',
  requireStack: [
    '/home/runner/work/_actions/crazy-max/ghaction-import-gpg/v1/dist/index.js'
  ]
}

It's common to just check in yarn.lock, and add node_modules to .gitignore. Installing with yarn also yields no changes to node_modules for me, so maybe it was unintentional?

Behaviour

Steps to reproduce this issue

1.Export the Prvate Key :
gpg --armor --export-secret-key F1840E7D69CDF54D66EFAAA762B9XXXXXXXXXX -w0
2.Create GPG_PRIVATE_KEY AND PASSPHRASE
3.git tag -f v0.0.1

Expected behaviour

signed artefact with gpg

Actual behaviour

my artefact should be signed but i faced a issue add step Import GPG key
i don't know why i cannot import the key
Checking GPG private key
Error: Could not find valid encryption key packet in key 62xxxxxxxx

Configuration

• Repository URL (if public):
• Build URL (if public):

name: release
on:
  push:
    tags:
      - 'v*'
jobs:
  goreleaser:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Unshallow
        run: git fetch --prune --unshallow
      -
        name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.14
      -
        name: Import GPG key
        id: import_gpg
        uses: paultyng/[email protected]
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          PASSPHRASE: ${{ secrets.PASSPHRASE }}
      -
        name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v2
        with:
          version: latest
          args: release --rm-dist
        env:
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Logs

Download the log file of your build and attach it to this issue.

For users that use gpg keys for ssh auth, it would be amazing if this action also set up for forwarding of ssh-agent to gpg-agent such that we could use our gpg keys for SSH auth.

Hello, is there already any support for SSH Keys for Commit Signing?
https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verification#ssh-commit-signature-verification

Behaviour

Steps to reproduce this issue

1. Add PASSPHRASE and SIGNING_KEY as secret.
   Follow below steps to get your SIGNING_KEY value:-
   - Run "gpg --list-secret-keys" and copy the ID of the key you'd like to use
   - Export the key with "gpg -a --export-secret-keys KEY_ID"(replace KEY_ID with your copied ID)
2. create the workflow import-gpg.yaml
3. Push something to master branch to trigger the workflow

Expected behaviour

The workflow should run successfully and the gpg private key should have been imported

Actual behaviour

Workflow failed and gpg private key did not get imported (output)

Configuration

• Repository URL (if public): https://github.com/riprasad/gitub-actions-demo
• Build URL (if public): https://github.com/riprasad/gitub-actions-demo/runs/646938049?check_suite_focus=true

# paste your YAML workflow file here and remove sensitive data

name: import-gpg

on:
  push:
    branches: master

jobs:
  import-gpg:
    runs-on: ubuntu-latest
    steps:
      -
        name: Checkout
        uses: actions/checkout@v2
      -
        name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v1
        with:
          git_gpgsign: true
        env:
          SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
          PASSPHRASE: ${{ secrets.PASSPHRASE }}

Logs

Download the [log file of your build](https://github.com/riprasad/gitub-actions-demo/runs/646938049?check_suite_focus=true
logs_263.zip
) and attach it to this issue.

Behaviour

Steps to reproduce this issue

1. Export a key with gpg --armor --export-secret-key [email protected] | sed -z 's;\n;;g' | xclip -selection clipboard -i on Arch Linux

Expected behaviour

Key should be imported to the keyring

Actual behaviour

Outputs "malformed key" when importing the key using the action.

Removing sed -z 's;\n;;g' works.

Configuration

  - uses: crazy-max/ghaction-import-gpg@v3
      id: gpg
      with:
        gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}

Logs

N/A

Behaviour

When multiple runners on the same machine simultaneously run a job using this action it often happens that this action's cleanup in one runner will clean the key out from under the others, causing them to fail.

Steps to reproduce this issue

Consider a job with the following steps:
A: load keys (uses: uses: crazy-max/ghaction-import-gpg@v5)
B: use keys in various ways
C: Post A (cleanup)
Now consider the case where this job simultaneously runs in runners 1 and 2 in the following order: A1 B1 A2 C1 B2 C2.
Once C1 completes, the key is removed and B2 fails.

The output of C2 is as follows, confirming that the key it is expecting to remove no longer exists:

Post job cleanup.
Removing key 47CF7092419B6B580DE41EC020876FE7C6051B
Warning: gpg: key "47CF70292419B6B580DE41EC020876F3E7C6051B" not found: Not found
gpg: 7CF70292419B6B580DE41EC020876F3E7C6051B: delete key failed: Not found

Expected behaviour

Cleanup in one job should not affect another, so B2 should not fail.

Actual behaviour

Runner 1 removes the key that runner 2 is still using, causing the job in runner 2 to fail.

Configuration

The relevant config is shown below, but the problem as stated should be simple enough without needing this.

      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - name: Commit changes
        uses: stefanzweifel/git-auto-commit-action@v4
        with:
          commit_message: '<removed>'
          commit_user_name: '<removed>'
          commit_user_email: '<removed>'
          commit_author: '<removed>'
          commit_options: '--no-verify -S'

Logs

Work-related so I'd rather not make it available, but it should not be necessary.

Behaviour

Steps to reproduce this issue

1. Set your GitHub secrets:
   1. ${{ secrets.GPG_PRIVATE_KEY }}
   2. ${{ secrets.GPG_PASSPHRASE }}
   3. ${{ secrets.GPG_KEY_ID }}
2. Configure a GitHub action like so

      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}
          fingerprint: ${{ secrets.GPG_KEY_ID }}

      - name: Export GPG key to legacy format
        run: gpg --export-secret-keys > ~/.gnupg/pubring.gpg

3. Run the action

Expected behaviour

GPG should export the specified GPG key into ~/.gnupg/pubring.gpg

Actual behaviour

The import step completes successfully, but exporting the key does not. Below is what is shown:

  Run gpg --export-secret-keys > ~/.gnupg/pubring.gpg
  gpg --export-secret-keys > ~/.gnupg/pubring.gpg
  shell: /usr/bin/bash -e {0}
gpg: key 3542E92F08CF2673973F54E25347ACDAC05744B8: error receiving key from agent: Inappropriate ioctl for device - skipped
gpg: 672E6CBF977A40F508F88F4CBBE8211E927B068C: error receiving key from agent: Inappropriate ioctl for device - skipped
gpg: WARNING: nothing exported
Error: Process completed with exit code 2.

Note: I know it shows I used crazy-max/ghaction-import-gpg@v5, but before that version, I tried the latest v5.2.0.

Haha, I guess it didn't make a difference to block out that information. 😛

Configuration

• Repository URL (if public): https://github.com/jdstone/helm-charts
• Build URL (if public): https://github.com/jdstone/helm-charts/actions/runs/4522300214/jobs/7964665430

name: Release Charts

on:
  push:
    branches:
      - main

jobs:
  release:
    runs-on: ubuntu-latest

    permissions:
      contents: write

    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Configure Git
        run: |
          git config user.name "$GITHUB_ACTOR"
          git config user.email "[email protected]"

      - name: Install Helm
        uses: azure/setup-helm@v3
        with:
          version: v3.8.1

      - name: Import GPG key
        uses: crazy-max/ghaction-import-gpg@v5
        with:
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}
          fingerprint: ${{ secrets.GPG_KEY_ID }}

      - name: Export GPG key to legacy format
        run: gpg --export-secret-keys > ~/.gnupg/pubring.gpg

      - name: Add dependency chart repos
        run: |
          helm repo add jdstone https://charts.jdstone.dev

      - name: Run chart-releaser
        uses: helm/[email protected]
        with:
          charts_dir: charts
          config: cr.yaml
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

Logs

logs_47.zip

Behaviour

Importing GPG keys to decrypt file, triggering error Input required and not supplied causing the job to fail.

I tried changing the workflow from pull_request to pull_request_target cause as far as I understood, Github changed permissions to PR's so that secrets wouldn't be accessed for security reasons.

I also tried multiple things but nothing works. (other secrets are accessed properly and other steps were working fine, it's just the ones related to the GPG secrets.

Steps to reproduce this issue

1. Add keys as Environment secrets
2. Run Job on creating PR

Expected behaviour

It should read keys from Secrets

Actual behaviour

Job fails with error: Input required and not supplied: gpg_private_key

Configuration

• Repository URL (if public): Private Repo
• Build URL (if public): Private Repo

name: Build APK and push to S3
on: pull_request_target


jobs:
  setup:
    runs-on: ubuntu-latest

    strategy:
      matrix:
        # os: [ubuntu-latest, macos-latest, windows-latest]
        os: [ubuntu-latest]
        node: [14] # [10, 12]

    permissions:
      pull-requests: write
      contents: write

    steps:
      - uses: actions/setup-node@v3
        with:
          node-version: ${{ matrix.node }}

      - name: checkout
        uses: actions/checkout@v3
        with:
          fetch-depth: 0 # All history

      - name: cache node_modules
        id: node_modules_cache_id
        uses: actions/cache@v1
        with:
          path: node_modules
          key: ${{ matrix.os }}-node-v${{ matrix.node }}-deps-${{ hashFiles(format('{0}{1}', github.workspace, '/yarn.lock')) }}

      - name: install
        run: yarn --check-files --frozen-lockfile --non-interactive

      - name: cache workspace
        uses: actions/cache@v3
        with:
          path: ${{ github.workspace }}
          key: ${{ matrix.os }}-node-v${{ matrix.node }}-react-native-${{ github.sha }}

      - name: Import GPG Key
        uses: crazy-max/ghaction-import-gpg@v5
        with:    
          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
          passphrase: ${{ secrets.GPG_PASSPHRASE }}
        # env:
        #   gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
        #   passphrase: ${{ secrets.GPG_PASSPHRASE }}

      - name: List keys
        run: gpg -K

Logs

logs_33.zip

As of today, GitHub does not support signed git pushes, therefore setting git-push-gpgsign to true will actually fail the push.

However, as the git manual states in https://git-scm.com/docs/git-config, you can actually set push.gpgsign to not only false and true values, but also if-asked, which will effectively sign the push if the resulting server supports it, and avoid a failure if it does not.

It'd probably be a good idea for git-push-gpgsign to support if-asked option in addition to true and false. I don't see a good reason why it shouldn't, and supporting it would allow us to bullet-proof for the future when GitHub (and probably a lot of other git servers) enable that option on their backends.

Thank you in advance for considering this feature.

Behavior

When running the action multiple times in an actions matrix (using a self-hosted runner), the gpg import occasionally fails with ERR 67108891 Not found

Steps to reproduce this issue

1. Use working crazy-max/ghaction-import-gpg@v4 setup
2. Implement in GitHub Actions Matrix
3. Run action many times on self-hosted runner

Expected behavior

The GPG key is successfully imported and the action completes successfully

Actual behavior

1 in every 15-20 times, the action fails with ERR 67108891 Not found <GPG Agent>

If the action is re-run, sometimes the same error occurs (sometimes on the same matrix job, sometimes a different one), and sometimes the job completes successfully.

Configuration

• Repository URL (if public): N/A
• Build URL (if public): N/A

    - name: Import GPG key
      uses: crazy-max/ghaction-import-gpg@v4
      with:
        gpg_private_key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
        passphrase: ${{ secrets.BOT_GPG_PRIVATE_KEY_PASS }}
        git_user_signingkey: true
        git_commit_gpgsign: true

Logs

actionlog.txt

Behaviour

Currently it appears this is using "@types/openpgp": "^4.4.14" to provide the openpgpjs "bindings", sadly "@types/openpgp" hasn't been updated in almost 4 years. (Okay, maybe only 2.5 years) And it seems stuck at version 4.4.14.

Current version is 4.10.9. It seems it is also an open issue here: openpgpjs/openpgpjs#561

Most notably, @types/openpgp is missing support for Elliptic curve keys as this was included in openpgpjs 4.7.
ECC keys are really interesting because they are way smaller than RSA keys, and so they are nice to use for Github Secrets, IMO.

I believe according to the Openpgpjs issue that https://github.com/FlowCrypt/types is more up to date and maybe it might even work with 4.10.
They are still working on it: FlowCrypt/types#1 (but without the version tags, I'm afraid)

This might also be the cause of #71

My proposal is to migrate to https://github.com/FlowCrypt/types instead.

Steps to reproduce this issue

1. Create a key using P-512:

   gpg --expert --full-generate-key
   // (10) ECC
   // (5) NIST P-512 
   

2. Add it using this action
3. See the same issue as here: https://github.com/gopasspw/gopass/runs/1730875607?check_suite_focus=true

Expected behaviour

The key should be imported and working as expected.

Actual behaviour

It fails says:

Error: Could not find valid encryption key packet in key

Configuration

Not really relevant to the issue, but in case:

• Repository URL (if public): https://github.com/gopasspw/gopass
• Build URL (if public): https://github.com/gopasspw/gopass/runs/1730875607?check_suite_focus=true

Behaviour

Post-cleanup GPG action fails if the same key is imported twice. This generates unnecessary warning that is not possible to correct from the user's perspective.

Some background: I have an action which downloads latest translations of my project from third-party service. Due to the way how it works, and the fact that it's currently impossible to set git config properties globally (see #92), I actually use your action to commit and push in two different repos in one action: a subdirectory wiki repo (which is a git submodule), and the main repo.

See https://github.com/JustArchiNET/ArchiSteamFarm/runs/2646297703 as an example.

Steps to reproduce this issue

Import the same key twice in two different actions.

    - name: Import GPG key for <someotherdir>
      uses: crazy-max/ghaction-import-gpg@v3
      with:
        gpg-private-key: ${{ secrets.GPG_KEY }}
        git-user-signingkey: true
        git-commit-gpgsign: true
        git-tag-gpgsign: true
        workdir: <someotherdir>

    - name: Import GPG key for root dir
      uses: crazy-max/ghaction-import-gpg@v3
      with:
        gpg-private-key: ${{ secrets.GPG_KEY }}
        git-user-signingkey: true
        git-commit-gpgsign: true
        git-tag-gpgsign: true

Expected behaviour

GPG action should not generate a warning that comes from the result of trying to remove the same key twice. One of the solutions might be to check if the key is in fact in the keystore prior to trying to remove it.

I'm unsure whether it won't be needed to deal with double agent-killing as well in this regard.

Actual behaviour

Second post-cleanup job generates this warning:

Post job cleanup.
🚿 Removing keys
Warning: gpg: key "<somekey>" not found: Not found
gpg: <somekey>: delete key failed: Not found

Configuration

• Repository URL (if public): https://github.com/JustArchiNET/ArchiSteamFarm
• Build URL (if public): https://github.com/JustArchiNET/ArchiSteamFarm/actions/workflows/translations.yml

name: ASF-translations

on:
  push:
  schedule:
  - cron: '0 2 * * *'

jobs:
  update:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout code
      uses: actions/checkout@v2
      with:
        submodules: recursive

    - name: Reset wiki to follow origin
      shell: sh
      run: |
        set -eu

        cd wiki

        git fetch --depth=1 origin master
        git reset --hard origin/master

    - name: Download latest translations from Crowdin
      uses: crowdin/[email protected]
      with:
        upload_sources: false
        download_translations: true
        skip_untranslated_strings: true
        push_translations: false
        crowdin_branch_name: main
        config: '.github/crowdin.yml'
        project_id: ${{ secrets.ASF_CROWDIN_PROJECT_ID }}
        token: ${{ secrets.ASF_CROWDIN_API_TOKEN }}

    - name: Import GPG key for wiki
      uses: crazy-max/ghaction-import-gpg@v3
      with:
        gpg-private-key: ${{ secrets.ARCHIBOT_GPG_PRIVATE_KEY }}
        git-user-signingkey: true
        git-commit-gpgsign: true
        git-tag-gpgsign: true
        workdir: wiki

    - name: Commit the changes to wiki
      shell: sh
      run: |
        set -eu

        cd wiki

        git add -A "locale"

        if ! git diff --cached --quiet; then
            git commit -m "Automatic translations update"
        fi

    - name: Push changes to wiki
      uses: ad-m/github-push-action@master
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        branch: master
        directory: wiki
        repository: ${{ github.repository }}.wiki

    - name: Import GPG key for ASF
      uses: crazy-max/ghaction-import-gpg@v3
      with:
        gpg-private-key: ${{ secrets.ARCHIBOT_GPG_PRIVATE_KEY }}
        git-user-signingkey: true
        git-commit-gpgsign: true
        git-tag-gpgsign: true

    - name: Commit the changes to ASF
      shell: sh
      run: |
        set -eu

        git add -A "ArchiSteamFarm/Localization" "ArchiSteamFarm.OfficialPlugins.SteamTokenDumper/Localization" "wiki"

        if ! git diff --cached --quiet; then
            git commit -m "Automatic translations update"
        fi

    - name: Push changes to ASF
      uses: ad-m/github-push-action@master
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
        branch: ${{ github.ref }}

Logs

logs_4363.zip

Additional information

This isn't critical bug because only warning is generated and the workflow otherwise works properly, but it's definitely something that should be corrected in regards to planned use cases.

Side note: with enhancement mentioned in #92, the "proper" workaround for this issue might be "just import your key once globally instead". It'd definitely work for my case, but if somebody would indeed want to go full local with the same key in two different repos, he'll still get this warning.

Thanks in advance.

Behaviour

If you use the input fingerprint with the fingerprint of the subkey, the Post import GPG key step tried to delete the key using the fingerprint of the subkey. I suppose you have to use the KeyID (fingerprint of the primary key).

Steps to reproduce this issue

They were described in this PR.

Expected behaviour

I should delete the key.

Actual behaviour

It does not delete the key and it was correctly imported into the keyring.

Configuration

• Repository URL (if public): https://github.com/Nautilus-Cyberneering/chinese-ideographs-website
• Build error URL (if public): https://github.com/Nautilus-Cyberneering/chinese-ideographs-website/runs/5336399157?check_suite_focus=true#step:21:3

Logs

Behaviour

Steps to reproduce this issue

1. Using this action with go releaser
2. This is the job used when running here

Expected behavior

There should be a secret key that is usable in github action but this does not exist

Actual behaviour

Get the following error:

error=sign: gpg failed: exit status 2: gpg: skipped "16FD00780F650E14C1DADC0C7C6D3C2557522BBB": No secret key
| gpg: signing failed: No secret key

This is caused by no secret only public key

Configuration

• PASSPRAHSE and GPG_PRIVATE_KEY are set in repo secrets as expected.

# Visit https://goreleaser.com for documentation on how to customize this
# behavior.
before:
  hooks:
    # this is just an example and not a requirement for provider building/publishing
    - go mod tidy
builds:
- env:
    # goreleaser does not work with CGO, it could also complicate
    # usage by users in CI/CD systems like Terraform Cloud where
    # they are unable to install libraries.
    - CGO_ENABLED=0
  mod_timestamp: '{{ .CommitTimestamp }}'
  flags:
    - -trimpath
  ldflags:
    - '-s -w -X main.version={{.Version}} -X main.commit={{.Commit}}'
  goos:
    - darwin
  goarch:
    - arm64
  binary: '{{ .ProjectName }}_v{{ .Version }}'
archives:
- format: zip
  name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}'
checksum:
  extra_files:
    - glob: 'terraform-registry-manifest.json'
      name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
  name_template: '{{ .ProjectName }}_{{ .Version }}_SHA256SUMS'
  algorithm: sha256
signs:
  - artifacts: checksum
    cmd: gpg
    args: ['--batch', '--local-user', '{{ .Env.GPG_FINGERPRINT }}', '--output', '${signature}', '--detach-sign', '${artifact}']
release:
  extra_files:
    - glob: 'terraform-registry-manifest.json'
      name_template: '{{ .ProjectName }}_{{ .Version }}_manifest.json'
  # If you want to manually examine the release before its live, uncomment this line:
  # draft: true
changelog:
  skip: true

Behaviour

Steps to reproduce this issue

1. Create gpg keys using gpg --gen-key
2. Get private key using gpg --armor --export <sec_key>
3. Create github repo secrets GPG_PRIVATE_KEY for passphrase and GPG_PASSPHRASE with step 2 private key
4. Try running ghaction-import-gpg as below

Expected behaviour

It must complete execution without errors

Actual behaviour

Error: gpg: error reading key: No secret key

Configuration

- name: Import GPG key
  uses: crazy-max/[email protected]
  with:
    gpg-private-key: ${{ secrets.GPG_PRIVATE_KEY }}
    passphrase: ${{ secrets.GPG_PASSPHRASE }}
    git-user-signingkey: true
    git-commit-gpgsign: true
    git-tag-gpgsign: true
  env:
    debug: true

Logs

Behaviour

It appears that the action fails to accept signing-only subkeys when attempting to import the key.

Steps to reproduce this issue

1. Generate secret subkey with only signing capability
2. Export signing subkey to Actions Secret
3. Configure action as documented in readme

Expected behaviour

I'd expect the key to be registered successfully such that commit and tag signing works as usual.

Since the private key needs to be stored within Actions' Secrets, it is beneficial to limit the exposed surface area of the key. For that reason, I only want the signing subkey to be stored as the secret, not the entire master secret key. (That way revocation is straightforward, in the event the key is compromised.)

$ export GNUPGHOME=/var/folders/g5/hjyp2_y91ggcbxmqnrxs54dh0000gn/T/tmp.bcUU6uhH
$ gpg -K
$ gpg --import sign.gpg 
gpg: key 249FB5A789A6EF28: public key "Nodenv Bot (github) " imported
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 249FB5A789A6EF28: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
$ gpg -K
/var/folders/g5/hjyp2_y91ggcbxmqnrxs54dh0000gn/T/tmp.uTi7eG3E/pubring.kbx
-------------------------------------------------------------------------
sec#  rsa4096 2020-09-01 [C]
      EC4A05892FB2603243F5031D249FB5A789A6EF28
uid           [ unknown] Nodenv Bot (github) 
uid           [ unknown] Nodenv Bot 
ssb   rsa4096 2020-09-01 [S]
$ git config user.name nodenv-bot

$ git config user.email [email protected]

$ git config user.signingkey 91F91D7F54BA3485

$ git ci -S --allow-empty -m testing

[bot-sign eea63992] testing

$ git show --show-signature

gpg: Signature made Tue Sep  1 20:10:08 2020 EDT

gpg:                using RSA key CEA5F06CC5C89B801954C4B291F91D7F54BA3485

gpg: Good signature from "Nodenv Bot (github) [email protected]" [unknown]

gpg:                 aka "Nodenv Bot [email protected]" [unknown]

gpg: WARNING: This key is not certified with a trusted signature!

gpg:          There is no indication that the signature belongs to the owner.

Primary key fingerprint: EC4A 0589 2FB2 6032 43F5  031D 249F B5A7 89A6 EF28

Subkey fingerprint: CEA5 F06C C5C8 9B80 1954  C4B2 91F9 1D7F 54BA 3485

Actual behaviour

When the import-gpg action runs, it generates an error:

Run crazy-max/ghaction-import-gpg@v2
  with:
    git_user_signingkey: true
    git_commit_gpgsign: true
    git_tag_gpgsign: true
    git_push_gpgsign: false
    workdir: .
  env:
    GPG_PRIVATE_KEY: ***
  
📣 GnuPG info
Version    : 2.2.4 (libgcrypt 1.8.1)
Libdir     : /usr/lib/x86_64-linux-gnu/gnupg
Libexecdir : /usr/lib/gnupg
Datadir    : /usr/share/gnupg
Homedir    : /home/runner/.gnupg
🔮 Checking GPG private key
##[error]Could not find valid encryption key packet in key 249fb5a789a6ef28

Configuration

• Repository URL (if public): https://github.com/nodenv/node-build
• Build URL (if public): https://github.com/nodenv/node-build/runs/1058938254?check_suite_focus=true

name: Test Signing
on:
  push:

jobs:
  bump:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
        with:
          ref: bot-sign
          fetch-depth: 0
          token: ${{ secrets.BOT_TOKEN }}

      - uses: crazy-max/ghaction-import-gpg@v2
        with:
          git_user_signingkey: true
          git_commit_gpgsign: true
          git_tag_gpgsign: true
        env:
          GPG_PRIVATE_KEY: ${{ secrets.BOT_GPG_KEY }}

      - run: git commit --allow-empty -m testing
        env:
          GIT_AUTHOR_NAME: 'nodenv bot'
          GIT_AUTHOR_EMAIL: '[email protected]'
          GIT_COMMITTER_NAME: 'nodenv bot'
          GIT_COMMITTER_EMAIL: '[email protected]'

      - run: git push

Logs

log.txt

Behaviour

I'm setting this up in a github action as part of HashiCorp's recommended workflow

Steps to reproduce this issue

1. Create a set of public and private GPG keys
   I created them with gpg --full-gen-key selecting option 4 RSA (sign only) answering the prompts (2048 bit length) and setting the key to never expire
2. Add the following node to a github action

- name: Import GPG key
        id: import_gpg
        uses: paultyng/[email protected]
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          PASSPHRASE: ${{ secrets.PASSPHRASE }}

3. add the secrets GPG_PRIVATE_KEY and PASSPHRASE to the repo where GPG_PRIVATE_KEY came from gpg --armor --export-secret-key <user_email> | pbcopy which gives an output that looks normal

-----BEGIN PGP PRIVATE KEY BLOCK-----

<stuff>
-----END PGP PRIVATE KEY BLOCK-----

4. run the github action

Expected behaviour

It should import my GPG key so it can be used in goreleaser to sign my binaries.

Actual behaviour

Run paultyng/[email protected]
📣 GnuPG info
Version : 2.2.4 (libgcrypt 1.8.1)
Libdir : /usr/lib/x86_64-linux-gnu/gnupg
Libexecdir : /usr/lib/gnupg
Datadir : /usr/share/gnupg
Homedir : /home/runner/.gnupg
🔮 Checking GPG private key
##[error]Could not find valid encryption key packet in key 4198c6cc29feabf7

Configuration

• Repository URL (if public): https://github.com/onelogin/terraform-provider-onelogin
• Build URL (if public): https://github.com/onelogin/terraform-provider-onelogin/runs/908376161

on:
  push:
    tags:
    - '*'
name: Release
jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Unshallow
        run: git fetch --prune --unshallow
      - name: Set up Go
        uses: actions/setup-go@v2
        with:
          go-version: 1.14
      - name: Import GPG key
        id: import_gpg
        uses: paultyng/[email protected]
        env:
          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
          PASSPHRASE: ${{ secrets.PASSPHRASE }}
      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v2
        with:
          version: latest
          args: release --rm-dist
        env:
          GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

obtained from https://github.com/hashicorp/terraform-provider-scaffolding/blob/master/.github/workflows/release.yml

Logs

logs_174.zip

If I define a passphrase with special characters, e.g.,

x-**x`])\?\x=".&<\:%/?#)~:{?%

The action fails:

🔓 Presetting passphrase
##[error]ERR XXXXXXXX Not found