From bdff4161ca0f5b18f69d82220506e5b69157113b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Bj=C3=A6rt=20Hargreaves?= Date: Wed, 29 Nov 2023 08:48:44 +0100 Subject: [PATCH] Update REGENERATING_SIGNING_KEY.md fix enumerations not nesting properly --- REGENERATING_SIGNING_KEY.md | 42 ++++++++++++++++++------------------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/REGENERATING_SIGNING_KEY.md b/REGENERATING_SIGNING_KEY.md index 7ca1791..ab2b7de 100644 --- a/REGENERATING_SIGNING_KEY.md +++ b/REGENERATING_SIGNING_KEY.md @@ -11,29 +11,29 @@ To sign a new release _after the key expires_, you need to: We use a password protected, encrypted signing key when signing releases for maven central. To refresh the key, you need to: 1. Download the secret key file from your secret manager -2. Note the encryption password from your secret manager -3. Import the key into your local gpg keychain - 4. `gpg --import ` - 5. Enter the encryption password when prompted - 6. List the secret key ids: `gpg --list-secret-keys --keyid-format LONG` - 7. Note the key ID of the imported key -7. Refresh the key expiration date - 8. `gpg --edit-key ` - 9. `expire` - 10. **IMPORTANT:** When promted, write `1y`. The default is `no-expiration`, **which is not what we want** - 11. You should be prompted for the pass-phrase again. Enter the same pass-phrase as before - 10. `save` + enter -11. If done correctly, it should exit the `gpg` interactive prompt +1. Note the encryption password from your secret manager +1. Import the key into your local gpg keychain + 1. `gpg --import ` + 1. Enter the encryption password when prompted + 1. List the secret key ids: `gpg --list-secret-keys --keyid-format LONG` + 1. Note the key ID of the imported key +1. Refresh the key expiration date + 1. `gpg --edit-key ` + 1. `expire` + 1. **IMPORTANT:** When promted, write `1y`. The default is `no-expiration`, **which is not what we want** + 1. You should be prompted for the pass-phrase again. Enter the same pass-phrase as before + 1. `save` + enter +1. If done correctly, it should exit the `gpg` interactive prompt ## Update the key in your secret manager 1. Export the public key: `gpg --output maven.public.gpg --armor --export ` -2. Export the private key: `gpg --output maven.secret.gpg --armor --export-secret-keys ` - 3. You will be prompted for the pass-phrase. Enter the same pass-phrase as before -4. Rename the existing public and private keys in your secret manager to something like `maven.public.gpg[expired]` - 5. You can delete the `n-2`nd iteration of keys, as we are pretty sure we won't need them again at this point -5. Upload `maven.public.gpg` and `maven.secret.gpg` to your secret manager -6. **IMPORTANT** Delete `maven.public.gpg` and `maven.secret.gpg` from your local machine +1. Export the private key: `gpg --output maven.secret.gpg --armor --export-secret-keys ` + 1. You will be prompted for the pass-phrase. Enter the same pass-phrase as before +1. Rename the existing public and private keys in your secret manager to something like `maven.public.gpg[expired]` + 1. You can delete the `n-2`nd iteration of keys, as we are pretty sure we won't need them again at this point +1. Upload `maven.public.gpg` and `maven.secret.gpg` to your secret manager +1. **IMPORTANT** Delete `maven.public.gpg` and `maven.secret.gpg` from your local machine ## Publish the public key to a key server @@ -44,5 +44,5 @@ Now the downstream clients can verify the signature of the artifacts you sign wi ## Update the secret environment variables in the github action 1. Copy the `base64` encoded secret key from your secret manager - 2. `gpg --armor --export-secret-keys $LONG_ID | base64 | pbcopy` -2. Paste the `base64` encoded secret key into the `PGP_SECRET` secret variable in the github action + 1. `gpg --armor --export-secret-keys $LONG_ID | base64 | pbcopy` +1. Paste the `base64` encoded secret key into the `PGP_SECRET` secret variable in the github action