Manage OSSRH

Access nexus repository

• url: https://oss.sonatype.org/
• user/pass: Find the secret in Dapr's 1Password (java-sdk-ossrh-repo)

Manual deployment using maven

• Download GPG private key from Dapr's 1Password (java-sdk-mvn-gpg-private-key secret in 1Password)
• Base64-decode secret to private key

# for linux user
$ echo "secret" | base64 -D > gpg-private.key

• import gpg private key to your local machine

$ gpg --batch --import gpg-private.key

• Set the secret environment variables

export OSSRH_USER_TOKEN=user_token # See `java-sdk-ossrh-user-token` secret in 1Password
export OSSRH_PWD_TOKEN=user_pass # See `java-sdk-ossrh-user-token` secret in 1Password
export GPG_KEY=gpg_key # See `java-sdk-mvn-gpg-private-key-pass` secret in 1Password
export GPG_PWD=gpg_pwd # See `java-sdk-mvn-gpg-private-key-pass` secret in 1Password

• Deploy by maven

export GPG_TTY=$(tty)
mvn -V -B -Dgpg.skip=false -s settings.xml deploy

Rotate GPG private key

• Generate GPG Cert

$ export GPG_TTY=$(tty)
# when gpg asks password of cert, use `java-sdk-mvn-gpg-private-key-pass` secret in 1Password. if you want to use the different password, please update `java-sdk-mvn-gpg-private-key-pass` secret in 1Password.

$ gpg --generate-key

gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: dapr.io
Email address: [email protected]
You selected this USER-ID:          
    "dapr.io <[email protected]>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key B32573E3D5C334D9 marked as ultimately trusted
gpg: directory '/Users/youngp/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/Users/youngp/.gnupg/openpgp-revocs.d/2C250DF7621BD1A2D6B06E27B32573E3D5C334D9.rev'
public and secret key created and signed.

pub   rsa2048 2020-01-17 [SC] [expires: 2022-01-16]
      2C250DF7621BD1A2D6B06E27B32573E3D5C334D9
uid                      dapr.io <[email protected]>
sub   rsa2048 2020-01-17 [E] [expires: 2022-01-16]

• Export private key

# e.g. KEYID is 2C250DF7621BD1A2D6B06E27B32573E3D5C334D9 in the example
$ gpg -a --export-secret-key KEYID > private-key.gpg 

• Base64-encode private-key.gpg

base64 private-key.gpg

• Export public key

# e.g. KEYID is 2C250DF7621BD1A2D6B06E27B32573E3D5C334D9 in the example
gpg -a --export KEYID > public-key.gpg

• Upload public key only to https://keys.openpgp.org/upload/ - it will require to verify an e-mail sent to [email protected]

• Update variables in GitHub Settings->secrets

  • GPG_PRIVATE_KEY with the Base64 value of the private key
  • GPG_KEY with the new Key Id (2C250DF7621BD1A2D6B06E27B32573E3D5C334D9 in this example)
  • GPG_PASS with the password used to generate the new key

• Update java-sdk-mvm-gpg-private-key secret in keyvault

References

• https://central.sonatype.org/pages/apache-maven.html
• https://bitbucket.org/simpligility/ossrh-pipeline-demo/src/master/