[cross-project-issues-dev] PGP Signing on ci.eclipse.org

[Ed Merks <ed.merks@xxxxxxxxx>]

Hi,

WindowBuilder started to use direct-from-maven content so it needs to 
PGP sign that content but does not yet do so:

  https://github.com/eclipse/windowbuilder/issues/302

To support that, the ci instance needs to be enabled which I requested 
via this:

  https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/1474

Even with that enabled, I have not been successful in getting it to 
actually work.

I have the following "test" job but I can't get past the issue of 
needing, and not knowing, the passphrase:

  https://ci.eclipse.org/windowbuilder/job/test-gpg/

I tried to replicate what the platform does via a Jenkins file with this 
job:

  https://ci.eclipse.org/windowbuilder/job/gpg-pipeline/

But still there are problems with the passphrase.   Some magic must 
exist to get this part to work:

        withCredentials([string(credentialsId: 'gpg-passphrase', 
variable: 'KEYRING_PASSPHRASE')]) {

Has anyone else successfully gotten this to work?  In particular, how 
does one configure access to the passphrase of the GPG keystore?  Is 
that another thing that the IT staff needs to enable for the instance?

Clearly the platform has gotten this to work so someone must have an 
answer.   I've just not been able to track down that someone...

----------------

The answers to this question will become increasingly important to the 
projects downstream from the platform as the the platform actively is 
replacing as many Orbit dependencies with direct-from-maven dependencies 
as possible.   See the history here:

https://github.com/eclipse-platform/eclipse.platform.releng.aggregator/commits/master/eclipse.platform.releng.prereqs.sdk/eclipse-sdk-prereqs.target

One concern with this approach is that the direct-from-maven bundles 
typically have no version qualifier so if it's the "same" minor version 
as the Orbit one, it will look older rather than newer...

Regards,
Ed