Use new gpg key (A0B5CA1A4E086838) (#237)

adangel · web-flow · commit 36826d4ff2c4 · 2025-01-06T18:39:30.000+01:00
diff --git a/.ci/README.md b/.ci/README.md
@@ -5,7 +5,7 @@
 Since 7.9.0, the plugin is signed with the same GPG key, that is used to sign the main PMD artifacts
 for maven central.
 
-See <https://github.com/pmd/build-tools/blob/main/scripts/files/release-signing-key-D0BF1D737C9A1C22.asc>.
+See <https://github.com/pmd/build-tools/blob/main/scripts/files/release-signing-key-2EFA55D0785C31F956F2F87EA0B5CA1A4E086838-public.asc>.
 
 Tycho's [GPG Plugin](https://tycho.eclipseprojects.io/doc/latest/tycho-gpg-plugin/sign-p2-artifacts-mojo.html)
 is used for that.
@@ -14,17 +14,8 @@ There is no need anymore to use jar signer and use a real Let's Encrypt certific
 
 **How it works:**
 
-* During build setup, `.m2/settings.xml` contains properties for signing:
-  ```xml
-    <profile>
-      <id>sign</id>
-      <properties>
-        <gpg.keyname>${env.CI_SIGN_KEYNAME}</gpg.keyname>
-        <gpg.passphrase>${env.CI_SIGN_PASSPHRASE}</gpg.passphrase>
-      </properties>
-    </profile>
-  ```
-* These environment variables (`CI_SIGN_KEYNAME`) are set by `pmd_ci_setup_secrets_private_env`
+* During build setup, the private gpg key is imported from the environment variable `PMD_CI_GPG_PRIVATE_KEY`
+  which is a secret in GitHub Action. This environment variable is used by `pmd_ci_setup_secrets_private_env`
   which is called by `build.sh` (but not for pull requests).
-
-* The tycho gpg plugin is activated only when profile `sign` is activated.
+* The gpg plugin uses the environment variable `MAVEN_GPG_PASSPHRASE` for the passphrase. This is
+  configured as well as a secret. The tycho gpg plugin is activated only when profile `sign` is activated.
diff --git a/.ci/build.sh b/.ci/build.sh
@@ -68,12 +68,10 @@ function snapshot_build() {
     pmd_ci_log_group_start "Snapshot Build: ${PMD_CI_MAVEN_PROJECT_VERSION}"
         pmd_ci_log_info "This is a snapshot build on branch ${PMD_CI_BRANCH} (version: ${PMD_CI_MAVEN_PROJECT_VERSION})"
 
-        export MAVEN_GPG_PASSPHRASE="${CI_SIGN_PASSPHRASE}"
         ${xvfb_cmd} ./mvnw clean verify \
             --show-version --errors --batch-mode --no-transfer-progress \
-            --activate-profiles sign_env -Dgpg.keyname="${CI_SIGN_KEYNAME}" \
+            --activate-profiles sign \
             -Dtarget.platform=${TARGET_PLATFORM}
-        unset MAVEN_GPG_PASSPHRASE
 
         # Upload update site to sourceforge
         local qualifiedVersion
@@ -120,12 +118,10 @@ function release_build() {
     pmd_ci_log_group_start "Release Build: ${PMD_CI_MAVEN_PROJECT_VERSION}"
         pmd_ci_log_info "This is a release build for tag ${PMD_CI_TAG} (version: ${PMD_CI_MAVEN_PROJECT_VERSION})"
 
-        export MAVEN_GPG_PASSPHRASE="${CI_SIGN_PASSPHRASE}"
         ${xvfb_cmd} ./mvnw clean verify \
             --show-version --errors --batch-mode --no-transfer-progress \
-            --activate-profiles sign_env -Dgpg.keyname="${CI_SIGN_KEYNAME}" \
+            --activate-profiles sign \
             -Dtarget.platform=${TARGET_PLATFORM}
-        unset MAVEN_GPG_PASSPHRASE
 
     pmd_ci_log_group_end
 
diff --git a/.github/actions/build/action.yml b/.github/actions/build/action.yml
@@ -13,6 +13,12 @@ inputs:
   githubToken:
     description: 'The GitHub Token used for releases'
     required: false
+  pmdCiGpgPrivateKey:
+    description: 'The GPG Private Key used for signing the release'
+    required: false
+  pmdCiGpgPassphrase:
+    description: 'The passphrase for the GPG private key used for signing the release'
+    required: false
 
 runs:
   using: 'composite'
@@ -25,3 +31,5 @@ runs:
         DEPLOY: ${{ inputs.deploy }}
         PMD_CI_SECRET_PASSPHRASE: ${{ inputs.pmdCiSecretPassphrase }}
         GITHUB_TOKEN: ${{ inputs.githubToken }}
+        PMD_CI_GPG_PRIVATE_KEY: ${{ inputs.pmdCiGpgPrivateKey }}
+        MAVEN_GPG_PASSPHRASE: ${{ inputs.pmdCiGpgPassphrase }}
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -29,7 +29,7 @@ runs:
       run: |
         echo "LANG=en_US.UTF-8" >> $GITHUB_ENV
         echo "MAVEN_OPTS=-Dmaven.wagon.httpconnectionManager.ttlSeconds=180 -Dmaven.wagon.http.retryHandler.count=3" >> $GITHUB_ENV
-        echo "PMD_CI_SCRIPTS_URL=https://raw.githubusercontent.com/pmd/build-tools/28/scripts" >> $GITHUB_ENV
+        echo "PMD_CI_SCRIPTS_URL=https://raw.githubusercontent.com/pmd/build-tools/main/scripts" >> $GITHUB_ENV
     - name: Check Environment
       shell: bash
       run: |
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -32,6 +32,8 @@ jobs:
           deploy: true
           pmdCiSecretPassphrase: ${{ secrets.PMD_CI_SECRET_PASSPHRASE }}
           githubToken: ${{ secrets.GITHUB_TOKEN }}
+          pmdCiGpgPrivateKey: ${{ secrets.PMD_CI_GPG_PRIVATE_KEY }}
+          pmdCiGpgPassphrase: ${{ secrets.PMD_CI_GPG_PASSPHRASE }}
 
       - name: Upload screenshots of failed unit tests
         uses: actions/upload-artifact@v4
@@ -79,8 +81,6 @@ jobs:
         with:
           targetPlatform: ${{ matrix.targetPlatform }}
           deploy: false
-          pmdCiSecretPassphrase: ${{ secrets.PMD_CI_SECRET_PASSPHRASE }}
-          githubToken: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload screenshots of failed unit tests
         uses: actions/upload-artifact@v4
diff --git a/ReleaseNotes.md b/ReleaseNotes.md
@@ -12,12 +12,16 @@ Eclipse Update Site:
 This is a minor release.
 
 ### New and noteworthy
+* The plugin uses a new GPG key for code signing. Releases are signed with
+  [A0B5CA1A4E086838](https://keyserver.ubuntu.com/pks/lookup?search=0x2EFA55D0785C31F956F2F87EA0B5CA1A4E086838&fingerprint=on&op=index).
+  The full fingerprint is `2EFA 55D0 785C 31F9 56F2  F87E A0B5 CA1A 4E08 6838`.
 
 ### Fixed Issues
 
 ### API Changes
 
-### External Contributions
+### Merged pull requests
+* Use new gpg key ([#237](https://github.com/pmd/pmd-eclipse-plugin/pull/237)) by [@adangel](https://github.com/adangel)
 
 ## 27-December-2024: 7.9.0.v20241227-1626-r
 
diff --git a/net.sourceforge.pmd.eclipse.p2updatesite/pom.xml b/net.sourceforge.pmd.eclipse.p2updatesite/pom.xml
@@ -39,7 +39,7 @@
 
     <profiles>
       <profile>
-        <id>sign_env</id>
+        <id>sign</id>
         <build>
           <plugins>
             <plugin>
diff --git a/pom.xml b/pom.xml
@@ -22,7 +22,7 @@
     <tycho.version>4.0.10</tycho.version>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <pmd.version>7.9.0</pmd.version>
-    <pmd.build-tools.version>28</pmd.build-tools.version>
+    <pmd.build-tools.version>29-SNAPSHOT</pmd.build-tools.version>
     <checkstyle.version>10.18.1</checkstyle.version>
     <checkstyle.plugin.version>3.5.0</checkstyle.plugin.version>
     <pmd.plugin.version>3.25.0</pmd.plugin.version>
