Signing-only subkeys fail to import about ghaction-import-gpg HOT 11 CLOSED

I've confirmed that using a Sign+Encrypt subkey works as expected, so that's at least a workaround. (It works in my particular case... however, there are other scenarios where one can not add an additional encryption subkey because it's generally expected that there be only a single encrypting subkey.)

Regardless, there is a slight bug (minor annoyance, really) when using only a subkey: this action reports a warning during workflow cleanup that the secret key is missing. This annotation is displayed on the workflow summary, as well as in detail within the workflow log output.

gpg: key "EC4A05892FB2603243F5031D249FB5A789A6EF28" not found gpg: EC4A05892FB2603243F5031D249FB5A789A6EF28: delete key failed: Not found

My assumption is that this action is attempting to delete the secret key that was added. However, if the secret key contains only a subkey, then the deletion fails.

from ghaction-import-gpg.

@crazy-max Hi. I have tried to use crazy-max/ghaction-import-gpg@subkey and it works. Previous version v4 was failed with ##[error]Could not find valid encryption key packet in key

from ghaction-import-gpg.

I'm having the same problem, and for me it traces back to https://github.com/crazy-max/ghaction-import-gpg/blob/master/src/openpgp.ts#L33

A signing-only key will not have an encryption key, so it fails there it seems. If I remove that line, this removes the error for me. I don't know how much knock-on damage that does though.

from ghaction-import-gpg.

I'm currently using a fork that makes https://github.com/crazy-max/ghaction-import-gpg/blob/master/src/openpgp.ts#L33 optional.

from ghaction-import-gpg.

I had the same issue with a sign only key. I just added a enctyption subkey and this also works when importing both and not just the sign-only subkey

from ghaction-import-gpg.

Hi @jasonkarns, I will take a look this week on this issue. Thanks for your input and concise report. Btw maybe linked to #39 (comment)

from ghaction-import-gpg.

Agree, thread in #39 sounds similar. I also exported with gpg --armor --export-secret-subkeys SUBKEYID! as mentioned there.

Looks like openpgp.js supposedly supports this now? openpgpjs/openpgpjs#865 But this action is already using a version that includes that patch so 🤷 ...

from ghaction-import-gpg.

A signing-only key will not have an encryption key, so it fails there it seems.

So does that mean that a sub key will work fine so long as the sub key is signing+encryption?

While this bug/feature should still remain open, that would at least unblock me by allowing sub keys. (I haven't tried importing sub keys with additional capabilities yet).

from ghaction-import-gpg.

Hi, I see a several merges but the issue is still open. Is there still more to do here?

from ghaction-import-gpg.

@jason-swissre Look closely; they're all merged to other repositories ;)

GitHub will show when someone mentions an issue elsewhere, so those merges just show a lot of people are running into this.

from ghaction-import-gpg.

I started something in #112. Can someone try it with uses: crazy-max/ghaction-import-gpg@subkey and let me know if it looks good? Thanks.

from ghaction-import-gpg.