Context: Here's a GoReleaser project I'm using.
How to reproduce:
- Export multiple env vars into
.release_env
:
GOPATH="..."
GPG_FINGERPRINT="..."
GPG_PASSWORD="..."
GPG_KEY="..."
where GPG_KEY
is GPG_PRIVATE_KEY
but this project calls it GPG_KEY
:
GPG_KEY (optional) - defaults to /secrets/key.gpg. ignored if file not found
- Run
docker run \
--rm \
--env-file .release-env \
-v /var/run/docker.sock:/var/run/docker.sock \
-v `pwd`:/go/src/$(PACKAGE_NAME) \
-v `pwd`/sysroot:/sysroot \
-w /go/src/$(PACKAGE_NAME) \
goreleaser/goreleaser-cross:v1.20 \
--rm-dist --skip-validate --skip-publish --debug
Then you'll see:
• signing artifact=my-app_2.0_SHA256SUMS cmd=gpg signature=dist/terraform-provider-confluent-internal_1.34.111111_SHA256SUMS.sig
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: skipped "FOOFOOFOOFOOFOOFOOFOOFOO": No secret key
gpg: signing failed: No secret key
⨯ release failed after 51s
where "FOOFOOFOOFOOFOOFOOFOOFOO"
has a value of GPG_FINGERPRINT
variable.
My ideas:
- Incorrect values of vars -- I did check they're valid.
- I should have passed
GPG_PUBLIC_KEY
instead ofGPG_PRIVATE_KEY
forGPG_KEY
. Based on this code it seems like usingGPG_PRIVATE_KEY
is the right idea. - Enabled
--debug
mode - did it already and it didn't help much. - When I searched for similar questions I could see most of them were about missing gpg executable or something that doesn't seem to be applicable here.
- Looked at the source code of goreleaser for "signing" stage -- it looks a little bit too advanced for me.
- I tried passing random strings as
GPG
and it looks likeNo secret key
might also indicate wrong value of a key.
At this point I'm out of ideas.