Can't publish to Maven Central due to GPG problem

[pdurbin]

As I mentioned in standup this morning, it's been on my mind that the GPG key we use to sign artifacts before uploading to Maven Central was supposed to expire on 2024-07-29.

This morning I kicked off a couple attempts to release artifacts on a couple non-important repos...

• https://github.com/gdcc/hello/actions/runs/10303779089
• https://github.com/gdcc/exporter-debug/actions/runs/10303989668

... and they both failed with a GPG error, but not about an expiration:

[INFO] Signer 'gpg' is signing 4 files with key default
gpg: no default secret key: No secret key
gpg: signing failed: No secret key

Basically, I'm not sure what's going on. Maybe the key is expired. Maybe it's something else. Either way, we should do something because we can't currently publish to Maven Central. We have secrets defined in both @IQSS and @gdcc (we publish from both orgs) such as MAVEN_GPG_PASSPHRASE: ${{ secrets.DATAVERSEBOT_GPG_PASSWORD }} and we might need to update them.

I wrote a bit about our release process for libraries at https://guides.dataverse.org/en/6.3/developers/making-library-releases.html but there's very little on that page about GPG. Perhaps we could add something.

I'm giving this a 3 but I'm not actually sure how much work it is.

[poikilotherm]

I extended the validity of the GPG key until 2025-08-12 and updated the GDCC org secret. I am not aware the key has been compromised, so should be fine to just extend and not generate a new keypair.

[pdurbin]

@poikilotherm thanks! In addition to the GDDC org, we should update the IQSS org since we publish UNF from there.

[pdurbin]

Closing. We're working on this in following PR:

• Publish SPI package to Maven Central (post defunct OSSRH) #11905