Fixes for GPG on Actions (pyutils#102)

* wip * wip * wip * wip * Add note about new GPG keys * wip * Remove debug configurations
ta946 · Sep 24, 2021 · 13ef526 · 13ef526
1 parent c14c304
commit 13ef526
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 12 deletions.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -32,7 +32,7 @@ jobs:
   build_and_test_sdist:
     name: Test sdist Python 3.8
     runs-on: ubuntu-latest
-    needs: [lint]
+    #needs: [lint]
     steps:
     - uses: actions/checkout@v2
     - name: Set up Python 3.8
@@ -71,15 +71,15 @@ jobs:
   build_and_test_wheels:
     name: ${{ matrix.cibw_build }} on ${{ matrix.os }}, arch=${{ matrix.arch }}
     runs-on: ${{ matrix.os }}
-    needs: [lint]
+    #needs: [lint]
     strategy:
       matrix:
         os: [ubuntu-latest, windows-latest, macOS-latest]
         arch: [auto]
         cibw_build: [cp3*-*]
         cibw_skip: ["*-win32"]
         # Add additional workers to reduce overall build time
-        include:
+        include: 
           - os: windows-latest
             cibw_build: cp3*-win32
             arch: auto
@@ -207,9 +207,15 @@ jobs:
           $GPG_EXECUTABLE --version
           openssl version
           $GPG_EXECUTABLE --list-keys
-          GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_public_gpg_key.pgp.enc | $GPG_EXECUTABLE --import 
-          GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_secret_gpg_subkeys.pgp.enc | $GPG_EXECUTABLE --import-ownertrust
-          GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/gpg_owner_trust.enc | $GPG_EXECUTABLE --import 
+          echo "Decrypting Keys"
+           GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_public_gpg_key.pgp.enc | $GPG_EXECUTABLE --import 
+          $GPG_EXECUTABLE --list-keys || true
+          GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/gpg_owner_trust.enc | $GPG_EXECUTABLE  --import-ownertrust
+          $GPG_EXECUTABLE --list-keys || true
+          GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_secret_gpg_subkeys.pgp.enc | $GPG_EXECUTABLE --import
+
+          echo "Finish Decrypting Keys"
+          $GPG_EXECUTABLE --list-keys || true
           $GPG_EXECUTABLE --list-keys  || echo "first invocation of gpg creates directories and returns 1"
           $GPG_EXECUTABLE --list-keys  
           MB_PYTHON_TAG=$(python -c "import setup; print(setup.MB_PYTHON_TAG)")
@@ -259,9 +265,14 @@ jobs:
           $GPG_EXECUTABLE --version
           openssl version
           $GPG_EXECUTABLE --list-keys
+          echo "Decrypting Keys"
           GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_public_gpg_key.pgp.enc | $GPG_EXECUTABLE --import 
-          GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_secret_gpg_subkeys.pgp.enc | $GPG_EXECUTABLE --import-ownertrust
-          GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/gpg_owner_trust.enc | $GPG_EXECUTABLE --import 
+          $GPG_EXECUTABLE --list-keys || true
+          GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/gpg_owner_trust.enc | $GPG_EXECUTABLE  --import-ownertrust
+          $GPG_EXECUTABLE --list-keys || true
+          GLKWS=$PYUTILS_CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_secret_gpg_subkeys.pgp.enc | $GPG_EXECUTABLE --import
+          $GPG_EXECUTABLE --list-keys || true
+          echo "Finish Decrypt Keys"
           $GPG_EXECUTABLE --list-keys  || echo "first invocation of gpg creates directories and returns 1"
           $GPG_EXECUTABLE --list-keys  
           MB_PYTHON_TAG=$(python -c "import setup; print(setup.MB_PYTHON_TAG)")

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -4,6 +4,7 @@ Changes
 3.3.1
 ~~~~~
 * FIX: Fix bug where lines were not displayed in Jupyter>=6.0 via #93
+* CHANGE: moving forward, new pypi releases will be signed with the GPG key 2A290272C174D28EA9CA48E9D7224DAF0347B114 for PyUtils-CI <[email protected]>. For reference, older versions were signed with either 262A1DF005BE5D2D5210237C85CD61514641325F or 1636DAF294BA22B89DBB354374F166CFA2F39C18.
 
 3.3.0
 ~~~~~

diff --git a/README.rst b/README.rst
@@ -53,8 +53,10 @@ a compiler.  If you wish to use it to run cProfile and not line-by-line
 profiling, you may copy it to a directory on your `PATH` manually and avoid
 trying to build any C extensions.
 
-As of 2021-04-25, only the linux binaries are available on pypi. If you are on
-windows and are unable to build from source, consider using Christoph Gohlke's
+As of 2021-06-04 Linux (x86_64 and i686), OSX (10_9_x86_64), and Win32 (win32,
+and amd64) binaries are available on pypi.
+
+Alternateively on windows you might consider using Christoph Gohlke's
 unofficial line-profiler 
 `precompiled win32 wheels <https://www.lfd.uci.edu/~gohlke/pythonlibs/#line_profiler>`_.
 

diff --git a/dev/public_gpg_key b/dev/public_gpg_key
@@ -1 +1 @@
-
+2A290272C174D28EA9CA48E9D7224DAF0347B114
diff --git a/dev/setup_secrets.sh b/dev/setup_secrets.sh
@@ -161,7 +161,22 @@ export_encrypted_code_signing_keys(){
     GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -e -a -in dev/ci_public_gpg_key.pgp > dev/ci_public_gpg_key.pgp.enc
     GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -e -a -in dev/ci_secret_gpg_subkeys.pgp > dev/ci_secret_gpg_subkeys.pgp.enc
     GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -e -a -in dev/gpg_owner_trust > dev/gpg_owner_trust.enc
-    echo $GPG_KEYID > dev/public_gpg_key
+    source dev/secrets_configuration.sh
+
+    CI_SECRET="${!VARNAME_CI_SECRET}"
+    echo "CI_SECRET=$CI_SECRET"
+    echo "GPG_IDENTIFIER=$GPG_IDENTIFIER"
+
+    # ADD RELEVANT VARIABLES TO THE CI SECRET VARIABLES
+
+    # HOW TO ENCRYPT YOUR SECRET GPG KEY
+    # You need to have a known public gpg key for this to make any sense
+
+    MAIN_GPG_KEYID=$(gpg --list-keys --keyid-format LONG "$GPG_IDENTIFIER" | head -n 2 | tail -n 1 | awk '{print $1}')
+    GPG_SIGN_SUBKEY=$(gpg --list-keys --with-subkey-fingerprints "$GPG_IDENTIFIER" | grep "\[S\]" -A 1 | tail -n 1 | awk '{print $1}')
+    echo "MAIN_GPG_KEYID  = $MAIN_GPG_KEYID"
+    echo "GPG_SIGN_SUBKEY = $GPG_SIGN_SUBKEY"
+    echo $ > dev/public_gpg_key
 
     # Test decrpyt
     GLKWS=$CI_SECRET openssl enc -aes-256-cbc -pbkdf2 -md SHA512 -pass env:GLKWS -d -a -in dev/ci_public_gpg_key.pgp.enc | gpg --list-packets --verbose
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,7 @@ Changes @@
 .3.1
     ~~~~~
     * FIX: Fix bug where lines were not displayed in Jupyter>=6.0 via #93
+    * CHANGE: moving forward, new pypi releases will be signed with the GPG key 2A290272C174D28EA9CA48E9D7224DAF0347B114 for PyUtils-CI <[email protected]>. For reference, older versions were signed with either 262A1DF005BE5D2D5210237C85CD61514641325F or 1636DAF294BA22B89DBB354374F166CFA2F39C18.
 .3.0
     ~~~~~
@@ Expand Down @@