Skip to content

fix(signing): select GPG signing subkey for the Gradle/BouncyCastle AAR path#307

Merged
bernardladenthin merged 2 commits into
mainfrom
claude/android-signing-failure-q7zml9
Jul 9, 2026
Merged

fix(signing): select GPG signing subkey for the Gradle/BouncyCastle AAR path#307
bernardladenthin merged 2 commits into
mainfrom
claude/android-signing-failure-q7zml9

Conversation

@bernardladenthin

Copy link
Copy Markdown
Owner

Summary

  • Fixes the llama-android AAR publish failing with Cannot invoke "org.bouncycastle.openpgp.PGPPrivateKey.getPublicKeyPacket()" because "<parameter1>" is null. Gradle's 2-arg useInMemoryPgpKeys selects the primary GPG key, whose secret this BouncyCastle can't unlock; gpg/maven-gpg-plugin auto-select the 4096-bit signing subkey (07D2D767) and sign fine. Both Gradle signing setups now select that subkey via the 3-arg useInMemoryPgpKeys(keyId, key, passphrase) when MAVEN_GPG_KEY_ID is set (env secret GPG_KEY_ID), falling back to the previous 2-arg behavior otherwise.
  • Follow-up to the merged preflight jobs (Add GPG signing key preflight checks to CI pipeline #306): makes the isolated verify-signing-key-gradle self-test project committed and readable at .github/signing-selftest/ instead of an opaque base64 blob.

Test plan

  • The verify-signing-key (gpg) job is green on main — the key/passphrase are valid.
  • The verify-signing-key-gradle job reproduced the exact null-PGPPrivateKey failure on main — confirming the bug is BouncyCastle-selecting-the-primary, not a bad key.
  • After merge, verify-signing-key-gradle goes green on main (the harness only runs under the maven-central environment gate on main), proving the subkey selection. The real AAR publish runs the identical code + same secret, so it is covered by the same result.

Related issues / PRs

Refs #306 (the preflight jobs this builds on).

Checklist

  • My commits follow Conventional Commits
  • No new secret material is exposed — GPG_KEY_ID is a public key id (present in the key's fingerprint); the private key and passphrase never appear in any log (passphrase on fd 3, set -x never enabled, ::add-mask::ed).

🤖 Generated with Claude Code


Generated by Claude Code

claude added 2 commits July 9, 2026 10:17
…se64)

Replaces the opaque base64-embedded Gradle files in the
verify-signing-key-gradle job with a committed, reviewable project at
.github/signing-selftest/ (settings.gradle.kts + build.gradle.kts, the
latter mirroring llama-android/build.gradle.kts). The job now checks out
the repo and runs `gradle -p .github/signing-selftest signMakeArtifact`.

No behavior change — same useInMemoryPgpKeys path, same Gradle 8.14.3 — but
a reviewer can now read exactly what the signing self-test executes instead
of decoding a blob, which matters for a job whose purpose is trustworthy
signing verification.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018pwn51YPBbtiuUyiLRrfrG
…path)

The Gradle useInMemoryPgpKeys (BouncyCastle) path failed with a null
PGPPrivateKey because the 2-arg form selects the primary key, whose secret
this BouncyCastle cannot unlock. gpg / maven-gpg-plugin auto-select the
4096-bit signing subkey (07D2D767) instead and sign fine — proven by the
green `verify-signing-key` (gpg) job vs the red `verify-signing-key-gradle`
job on the same key.

Wire an optional signing key id through both Gradle signing setups so they
select that subkey via the 3-arg useInMemoryPgpKeys(keyId, key, passphrase):

- .github/signing-selftest/build.gradle.kts (the isolated harness)
- llama-android/build.gradle.kts (the real AAR publish)
- publish.yml: pass MAVEN_GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }} to the
  harness step and both AAR publish steps.

When the id is unset, both fall back to the previous 2-arg behavior. Validate
green in the harness first, then the same code path covers the real AAR.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_018pwn51YPBbtiuUyiLRrfrG
@bernardladenthin bernardladenthin merged commit 0475510 into main Jul 9, 2026
8 of 14 checks passed
@bernardladenthin bernardladenthin deleted the claude/android-signing-failure-q7zml9 branch July 9, 2026 10:35
@sonarqubecloud

sonarqubecloud Bot commented Jul 9, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants