@@ -256,6 +256,10 @@ jobs:
256256 GPG_FINGERPRINT : ${{ secrets.GPG_FINGERPRINT }}
257257 GPG_PASSPHRASE : ${{ secrets.GPG_PASSPHRASE }}
258258 run : |
259+ # GPG_PASSPHRASE is optional - subkey may not have a passphrase
260+ if [ -z "$GPG_PASSPHRASE" ]; then
261+ echo "ℹ GPG_PASSPHRASE not set - assuming subkey has no passphrase"
262+ fi
259263 # Install gnupg2 if not already available
260264 sudo apt-get update && sudo apt-get install -y gnupg2 || true
261265
@@ -292,8 +296,13 @@ jobs:
292296 KEY_FILE=$(mktemp)
293297 echo "$GPG_PRIVATE_KEY" > "$KEY_FILE"
294298
295- # Import the key with passphrase from stdin (never written to disk)
296- echo "$GPG_PASSPHRASE" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --import "$KEY_FILE"
299+ # Import the key - handle both with and without passphrase
300+ if [ -n "$GPG_PASSPHRASE" ]; then
301+ echo "$GPG_PASSPHRASE" | gpg --batch --yes --pinentry-mode loopback --passphrase-fd 0 --import "$KEY_FILE"
302+ else
303+ # No passphrase - import directly
304+ gpg --batch --yes --import "$KEY_FILE"
305+ fi
297306
298307 # Clean up temp file (only contains key data, not passphrase)
299308 rm -f "$KEY_FILE"
@@ -307,30 +316,32 @@ jobs:
307316 # Verify key is available
308317 gpg --list-secret-keys --keyid-format LONG
309318
310- # Preset passphrase in gpg-agent for non-interactive signing
311- # This allows GoReleaser to sign without prompting for passphrase
312- # Extract keygrip - try both sec (master key) and ssb (subkey) lines
313- KEYGRIP=$(gpg --list-secret-keys --with-keygrip --keyid-format LONG "$FINGERPRINT_UPPER" 2>/dev/null | grep -E "^sec|^ssb" | head -1 | awk '{print $NF}')
314- if [ -z "$KEYGRIP" ]; then
315- # Try alternative method - get keygrip from the subkey line
316- KEYGRIP=$(gpg --list-secret-keys --with-keygrip --keyid-format LONG "$FINGERPRINT_UPPER" 2>/dev/null | grep -A5 "^sec" | grep "Keygrip" | head -1 | awk '{print $3}')
317- fi
318-
319- if [ -n "$KEYGRIP" ] && [ ${#KEYGRIP} -eq 40 ]; then
320- echo "$GPG_PASSPHRASE" | gpg-preset-passphrase --preset "$KEYGRIP" 2>&1
321- if [ $? -eq 0 ]; then
322- echo "✓ Passphrase preset in gpg-agent for keygrip: $KEYGRIP"
319+ # Preset passphrase in gpg-agent only if passphrase is provided
320+ # If subkey has no passphrase, skip this step
321+ if [ -n "$GPG_PASSPHRASE" ]; then
322+ # Extract keygrip - try both sec (master key) and ssb (subkey) lines
323+ KEYGRIP=$(gpg --list-secret-keys --with-keygrip --keyid-format LONG "$FINGERPRINT_UPPER" 2>/dev/null | grep -E "^sec|^ssb" | head -1 | awk '{print $NF}')
324+ if [ -z "$KEYGRIP" ]; then
325+ # Try alternative method - get keygrip from the subkey line
326+ KEYGRIP=$(gpg --list-secret-keys --with-keygrip --keyid-format LONG "$FINGERPRINT_UPPER" 2>/dev/null | grep -A5 "^sec" | grep "Keygrip" | head -1 | awk '{print $3}')
327+ fi
328+
329+ if [ -n "$KEYGRIP" ] && [ ${#KEYGRIP} -eq 40 ]; then
330+ echo "$GPG_PASSPHRASE" | gpg-preset-passphrase --preset "$KEYGRIP" 2>&1
331+ if [ $? -eq 0 ]; then
332+ echo "✓ Passphrase preset in gpg-agent for keygrip: $KEYGRIP"
333+ else
334+ echo "⚠ Warning: Failed to preset passphrase for keygrip: $KEYGRIP"
335+ fi
323336 else
324- echo "⚠ Warning: Failed to preset passphrase for keygrip: $KEYGRIP "
337+ echo "⚠ Warning: Could not find valid keygrip for fingerprint $FINGERPRINT_UPPER "
325338 fi
326339 else
327- echo "⚠ Warning: Could not find valid keygrip for fingerprint $FINGERPRINT_UPPER"
328- echo "Debug: Listing keys with keygrips:"
329- gpg --list-secret-keys --with-keygrip --keyid-format LONG "$FINGERPRINT_UPPER" 2>&1 || true
340+ echo "ℹ No passphrase provided - subkey should work without passphrase"
330341 fi
331342
332343 # Verify gpg-agent is running and can sign
333- echo "test" | gpg --batch --pinentry-mode loopback --sign --local-user "$FINGERPRINT_UPPER" -o /dev/null 2>&1 && echo "✓ Test signing successful" || echo "⚠ Test signing failed"
344+ echo "test" | gpg --batch --no-tty -- pinentry-mode loopback --sign --local-user "$FINGERPRINT_UPPER" -o /dev/null 2>&1 && echo "✓ Test signing successful" || echo "⚠ Test signing failed"
334345
335346 # Test signing capability (GoReleaser will test this anyway, but verify key is importable)
336347 # Note: We skip actual signing test here since --passphrase-fd consumes stdin
@@ -344,10 +355,14 @@ jobs:
344355 run : |
345356 echo "Verifying GPG environment variables..."
346357 echo "GPG_FINGERPRINT length: ${#GPG_FINGERPRINT}"
347- echo "GPG_PASSPHRASE length: ${#GPG_PASSPHRASE}"
358+ echo "GPG_PASSPHRASE length: ${#GPG_PASSPHRASE:-0 }"
348359 gpg --list-secret-keys --keyid-format LONG
349- # Test signing with passphrase
350- echo "test" | gpg --batch --yes --no-tty --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --local-user "$GPG_FINGERPRINT" --sign -o /tmp/test.sig - 2>&1 && echo "✓ Test signing successful" || echo "⚠ Test signing failed"
360+ # Test signing - handle both with and without passphrase
361+ if [ -n "$GPG_PASSPHRASE" ]; then
362+ echo "test" | gpg --batch --yes --no-tty --pinentry-mode loopback --passphrase "$GPG_PASSPHRASE" --local-user "$GPG_FINGERPRINT" --sign -o /tmp/test.sig - 2>&1 && echo "✓ Test signing successful (with passphrase)" || echo "⚠ Test signing failed"
363+ else
364+ echo "test" | gpg --batch --yes --no-tty --pinentry-mode loopback --local-user "$GPG_FINGERPRINT" --sign -o /tmp/test.sig - 2>&1 && echo "✓ Test signing successful (no passphrase)" || echo "⚠ Test signing failed"
365+ fi
351366 rm -f /tmp/test.sig
352367
353368name : Run GoReleaser
@@ -362,6 +377,7 @@ jobs:
362377 GPG_FINGERPRINT : ${{ secrets.GPG_FINGERPRINT }}
363378 GPG_PASSPHRASE : ${{ secrets.GPG_PASSPHRASE }}
364379 GPG_TTY : $(tty)
380+ # GPG_PASSPHRASE is optional - if empty, GoReleaser won't use --passphrase flag
365381
366382 # terraform-provider-release:
367383 # needs: [release]
0 commit comments