Skip to content

Add GPG signing key preflight checks to CI pipeline#306

Merged
bernardladenthin merged 2 commits into
mainfrom
claude/android-signing-failure-q7zml9
Jul 9, 2026
Merged

Add GPG signing key preflight checks to CI pipeline#306
bernardladenthin merged 2 commits into
mainfrom
claude/android-signing-failure-q7zml9

Conversation

@bernardladenthin

Copy link
Copy Markdown
Owner

Summary

  • Add two new standalone CI jobs (verify-signing-key and verify-signing-key-gradle) that validate GPG signing keys and passphrases before the publish stage
  • The verify-signing-key job tests the gpg CLI path (used by maven-gpg-plugin) by importing the key, checking expiration, verifying signing capability, and performing a sign/verify roundtrip
  • The verify-signing-key-gradle job tests the Gradle/BouncyCastle path (used by the llama-android AAR publish) by attempting to sign a throwaway artifact via useInMemoryPgpKeys
  • Both jobs run in parallel at pipeline start with no dependencies, read from the maven-central environment, and are designed to fail gracefully (red-by-design) on refs where secrets are not delivered (fork PRs, contributor branches)
  • Security-hardened: no secret material is ever printed; passphrases are passed only via file descriptors or environment variables and are masked; only public key metadata is logged

Test plan

  • CI is green on this branch
  • Both new jobs will run on every trigger and catch GPG key/passphrase issues in ~20s instead of failing during the publish stage
  • Jobs are expected to go red on fork PRs and contributor branches (where the maven-central environment secret is not delivered) — this is the intended signal that the ref cannot sign a release

Related issues / PRs

Checklist

  • I have read CONTRIBUTING.md and CODE_OF_CONDUCT.md
  • My commits follow Conventional Commits
  • No security-sensitive changes (GPG key validation is security-hardening; no secrets are printed)

https://claude.ai/code/session_018pwn51YPBbtiuUyiLRrfrG

claude added 2 commits July 9, 2026 10:00
Adds the standalone `verify-signing-key` job to publish.yml, byte-identical
to the other sibling repos. It reproduces what maven-gpg-plugin does at
deploy time (import key, check expiry + signing capability, passphrase
unlock + sign/verify roundtrip) so a bad/expired key or wrong passphrase is
caught in ~20s instead of failing the publish stage.

- No `needs:` — runs in parallel at pipeline start on every trigger.
- `environment: maven-central` — reads the SAME GPG_PRIVATE_KEY /
  GPG_PASSPHRASE secret the publish jobs use; on refs where the secret is
  not delivered (fork PRs, other branches) it goes red by design.
- Prints only PUBLIC key metadata; passphrase on fd 3 (never argv/logs),
  `set -x` never enabled, passphrase `::add-mask::`ed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018pwn51YPBbtiuUyiLRrfrG
Adds `verify-signing-key-gradle`, a second standalone preflight job that
tests the Gradle `signing` + `useInMemoryPgpKeys` (BouncyCastle) path — the
one the `llama-android` AAR publish uses, and the exact path that failed
with a null PGPPrivateKey. The sibling `verify-signing-key` job covers the
gpg/maven-gpg-plugin path (shared across all repos); this covers the path
gpg cannot exercise (BouncyCastle is stricter at parsing the armored key).

It signs a throwaway Zip through a 6-line Gradle project that mirrors
llama-android/build.gradle.kts (same MAVEN_GPG_PRIVATE_KEY/MAVEN_GPG_PASSPHRASE
env, same useInMemoryPgpKeys call), on the same Gradle 8.14.3 the AAR uses.

- No `needs:`, parallel at pipeline start; environment: maven-central.
- Prints no secret material: key/passphrase reach Gradle only via env,
  `set -x` never enabled, passphrase `::add-mask::`ed, Gradle runs
  --stacktrace only. Asserts only the produced .asc (exit code).
- Red-by-design where the secret is not delivered, same as the gpg job.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018pwn51YPBbtiuUyiLRrfrG
@bernardladenthin bernardladenthin merged commit 3fcc27c into main Jul 9, 2026
10 of 14 checks passed
@bernardladenthin bernardladenthin deleted the claude/android-signing-failure-q7zml9 branch July 9, 2026 10:13
@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants