Gitlab-ci sign maven artifacts

Question

I´m setting up a CI of my maven project in GitLab and I need to sign the jars before publishing them to maven central. (https://gitlab.com/awe-team/ade)

I generate the key pair with gnuPgp and add the public key to my GitLab profile.

Do I have a copy of my private key to the GitLab-ci workfolder?

The error get is that you can not find the key.

[DEBUG] Configuring mojo 'org.apache.maven.plugins:maven-gpg-plugin:1.5:sign' 
  with basic configurator -->
  [DEBUG]   (f) ascDirectory = /builds/awe-team/ade/target/gpg
  [DEBUG]   (f) defaultKeyring = true
  [DEBUG]   (f) interactive = false
  [DEBUG]   (f) passphrase = *******
  [DEBUG]   (f) skip = false
  [DEBUG]   (f) useAgent = true
  [DEBUG]   (f) project = MavenProject: com.almis.ade:ade:2.0.5 @ /builds/awe- team/ade/pom.xml
  [DEBUG] -- end configuration --
  [DEBUG] Generating signature for /builds/awe-team/ade/target/ade-2.0.5.pom
  gpg: directory '/root/.gnupg' created
  gpg: keybox '/root/.gnupg/pubring.kbx' created
  gpg: no default secret key: No secret key
  gpg: signing failed: No secret key

My .gitlab-ci.yaml looks line:

image: maven:latest

variables:
 MAVEN_CLI_OPTS: "-X -s .m2/settings.xml --batch-mode - 
 Dgpg.passphrase=$GPG_PASSPHRASE"
 MAVEN_OPTS: "-Dmaven.repo.local=.m2/repository"

cache:
  paths:
    - .m2/repository/
    - target/

build:
  stage: build
  script:
    - mvn $MAVEN_CLI_OPTS compile

test:
  stage: test
  script:
    - mvn $MAVEN_CLI_OPTS test

deploy:
  stage: deploy
  script:    
     - mvn $MAVEN_CLI_OPTS deploy
  only:
     - master

I expected to build a release of my jars and sign it to publish maven centrally.

Answer 1

You can (must) use CI/CD variables at project scope or at group/subgroup scope, the scope is up to you or defined by your organization.

Gitlab delivers variables contents to your CI/CD pipelines as any other regular variable in Bash, but also as files, so the variable instead of pointing to the content value, they point to temporary files created for your CI/CD pipeline instance.

I think file variables are more suitable for gpg keys, so you don't have to handle pipes with stdin/stdout or in several steps to import your keys.

Consider you've create a file type variable called MY_PGP_PRIV_KEY_PATH, so in the deploy script or any other pre-executed script you import it to the gpg of your container, like:

deploy:
  stage: deploy
  script:    
     - gpg --passphrase $MY_PGP_PASSPHRASE --import $MY_PGP_PRIV_KEY
     - mvn $MAVEN_CLI_OPTS deploy

Keep in mind that CI/CD variables are project's external data (non-forkable data), so it's safer that putting sensitive data inside Gitlab ci script. By the way, there is also where you must put passwords and any other secret or sensitive data.