CODEWITHSUNDEEP
scalamavensbtsonatype
kali
kali

Reputation: 1161

pgp signature failure on publishing artifact

This is the first time ever i am trying to publish an artifact, and it could not be harder.

I am using sbt 0.13.8 with plug-ins sbt-release 1.0.8, sbt-sonatype 2.0 sbt-pgp 1.1.1

relevant part of my build sbt looks like this:

pgpSecretRing := file("""C:\Users\kali\.sbt\gpg\secring.asc""")
pgpPublicRing := file("""C:\Users\kali\.sbt\gpg\pubring.asc""")
//pgpSecretRing := file("""C:\Users\kali\AppData\Local\lxss\home\kali\.gnupg\secring.gpg""")
//pgpPublicRing := file("""C:\Users\kali\AppData\Local\lxss\home\kali\.gnupg\pubring.gpg""")
usePgpKeyHex("c500a525a2efcb99")

name := "project-name"
organization := "com.mehmetyucel"
version := "0.0.2-SNAPSHOT"
scalaVersion := "2.12.2"
crossScalaVersions := Seq("2.11.11", "2.12.2")

lazy val projectName = project in file(".")

homepage := Some(url("https://some-github-url"))
scmInfo := Some(
  ScmInfo(url(
    "some-github-url"),
    "some-github-url.git"))

developers := List(
  Developer(
    "mehmetyucel",
    "Mehmet Yucel",
    "[email protected]",
    url("some-github-url")))

licenses += ("MIT", url("http://opensource.org/licenses/MIT"))
publishMavenStyle := true

publishTo := Some(
  if (isSnapshot.value)
    Opts.resolver.sonatypeSnapshots
  else
    Opts.resolver.sonatypeStaging
)

releaseCrossBuild := true

releaseProcess := Seq[ReleaseStep](
  checkSnapshotDependencies,
  inquireVersions,
  runClean,
  runTest,
  setReleaseVersion,
  commitReleaseVersion,
  tagRelease,
  // For non cross-build projects, use releaseStepCommand("publishSigned")
  releaseStepCommandAndRemaining("+publishSigned"),
  setNextVersion,
  commitNextVersion,
  releaseStepCommand("sonatypeReleaseAll"),
  pushChanges
)

The first 5 lines here I added out of desperation because when I do sbt release "I think" it signs my packages with a key that i am not aware of.

the error message i get is:

[info] Evaluate: signature-staging
[info] Failed: signature-staging, failureMessage:No public key: Key with id: (5b09423c9d5fbb5d) was not able to be located on <a href="http://keyserver.ubuntu.com:11371/">http://keyserver.ubuntu.com:11371/</a>. Upload your public key and try the operation again.

but my key is already uploaded. I can go and find my key on keyserver.ubuntu.com (http://keyserver.ubuntu.com/pks/lookup?op=get&search=0xC500A525A2EFCB99) unfortunately you will realize that the key id here is different. And I have no idea where this "5b09423c9d5fbb5d" is coming from.

I tried cloning the repository into 3 differnt systems (macos, ubuntu and win10) create a brand new key upload the key to ubuntu keyserver and try to release it again. The id in the error message is always same (5b09423c9d5fbb5d) I have no idea where this is coming from and how it is same despite using a totally different key/system

I tried changing usePgpKeyHex("c500a525a2efcb99") to usePgpKeyHex("c500a525a2efcb91") (basically something that does not exist) and I get 

[error] Not a valid command: failure-- (similar: onFailure)
[error] Not a valid project ID: failure--
[error] Expected ':' (if selecting a configuration)
[error] Not a valid key: failure--
[error] failure--
[error]          ^

on signing stage, which is awesome, which actually means sbt is using my key to sign so, still where does 5b09423c9d5fbb5d come from?

Upvotes: 1

Views: 306

Answers (1)

kali
kali

Reputation: 1161

Solved: Apparently this key id was coming from the very first "publishSigned" i did for this project, which failed for another reason. I kept running publishSigned sonatypeRelease back to back quite a few times and this caused a lot of "open" staging repositories in sonatype.

I went to https://oss.sonatype.org/ and dropped all open staging repositories using nexus UI and restarted the release process and everything works.

Upvotes: 1

Related Questions