|
23 | 23 |
|
24 | 24 | set -euo pipefail |
25 | 25 |
|
26 | | -export TMP_WORKSPACE=/tmp/secured |
27 | | -export KEY_FILE=$TMP_WORKSPACE"/private.key" |
| 26 | +if grep -sq "signing.keyId" gradle.properties; then |
| 27 | + # Keys already present |
| 28 | + exit 0 |
| 29 | +fi |
28 | 30 |
|
29 | | -# Secure home for our keyring |
30 | | -export GNUPGHOME=$TMP_WORKSPACE"/keyring" |
31 | | -mkdir -p $GNUPGHOME |
32 | | -chmod -R 700 $TMP_WORKSPACE |
| 31 | +mkdir -p /tmp/secured |
| 32 | +keyring_file="/tmp/secured/keyring.gpg" |
33 | 33 |
|
34 | | -# Signing keys |
35 | | -GPG_SECRET=kv/ci-shared/release-eng/team-release-secrets/elasticsearch-java/gpg |
36 | | -vault kv get --field="keyring" $GPG_SECRET | base64 -d > $KEY_FILE |
| 34 | +vault_path="kv/ci-shared/release-eng/team-release-secrets/elasticsearch-java" |
| 35 | + |
| 36 | +vault kv get --field="keyring" $vault_path/gpg | base64 -d > $keyring_file |
37 | 37 | ## NOTE: passphase is the name of the field. |
38 | | -KEYPASS_SECRET=$(vault kv get --field="passphase" $GPG_SECRET) |
39 | | -export KEYPASS_SECRET |
40 | | -KEY_ID=$(vault kv get --field="key_id" $GPG_SECRET) |
41 | | -KEY_ID_SECRET=${KEY_ID: -8} |
42 | | -export KEY_ID_SECRET |
43 | | - |
44 | | -# Import the key into the keyring |
45 | | -echo "$KEYPASS_SECRET" | gpg --batch --import "$KEY_FILE" |
46 | | - |
47 | | -# Export the key in ascii armored format |
48 | | -SECRING_ASC=$(gpg --pinentry-mode=loopback --passphrase "$KEYPASS_SECRET" --armor --export-secret-key "$KEY_ID_SECRET") |
49 | | -export SECRING_ASC |
50 | | - |
51 | | -# Credentials |
52 | | -NEXUS_SECRET=kv/ci-shared/release-eng/team-release-secrets/elasticsearch-java/maven_central |
53 | | -ORG_GRADLE_PROJECT_sonatypeUsername=$(vault kv get --field="username" $NEXUS_SECRET) |
| 38 | +signing_password=$(vault kv get --field="passphase" $vault_path/gpg) |
| 39 | +signing_key=$(vault kv get --field="key_id" $vault_path/gpg) |
| 40 | + |
| 41 | +maven_username=$(vault kv get --field="username" $vault_path/maven_central) |
| 42 | +maven_password=$(vault kv get --field="password" $vault_path/maven_central) |
| 43 | + |
| 44 | +ORG_GRADLE_PROJECT_sonatypeUsername=$(maven_username) |
54 | 45 | export ORG_GRADLE_PROJECT_sonatypeUsername |
55 | | -ORG_GRADLE_PROJECT_sonatypePassword=$(vault kv get --field="password" $NEXUS_SECRET) |
| 46 | +ORG_GRADLE_PROJECT_sonatypePassword=$(maven_password) |
56 | 47 | export ORG_GRADLE_PROJECT_sonatypePassword |
57 | 48 |
|
| 49 | +cat >> gradle.properties <<EOF |
| 50 | +signing.keyId=${signing_key: -8} |
| 51 | +signing.password=${signing_password} |
| 52 | +signing.secretKeyRingFile=${keyring_file} |
58 | 53 |
|
| 54 | +ossrhUsername=${maven_username} |
| 55 | +ossrhPassword=${maven_password} |
| 56 | +EOF |
0 commit comments