(phoenix) branch master updated: PHOENIX-7446 Document GPG passphrase handling in release process (#2019)

Wed, 30 Oct 2024 23:12:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

stoty pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/phoenix.git


The following commit(s) were added to refs/heads/master by this push:
     new 9e2017f47b PHOENIX-7446 Document GPG passphrase handling in release 
process (#2019)
9e2017f47b is described below

commit 9e2017f47bfcffd96eee99370963e138bd96b2d8
Author: Istvan Toth <[email protected]>
AuthorDate: Thu Oct 31 07:11:56 2024 +0100

    PHOENIX-7446 Document GPG passphrase handling in release process (#2019)
---
 dev/create-release/README.txt | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/dev/create-release/README.txt b/dev/create-release/README.txt
index 03f5e3d499..c253fc926e 100644
--- a/dev/create-release/README.txt
+++ b/dev/create-release/README.txt
@@ -54,6 +54,28 @@ on caching the unlocked secret via ~/.gnupg/gpg-agent.conf
   default-cache-ttl 86400
   max-cache-ttl 86400
 
+In the current version, passphrase entry doesn't work at all, at least for 
Linux Docker builds.
+Increasing the TTL only works if you unlock the key before starting the 
release script by running
+gpg separately before the script.
+A better way to handle passphrases without changing the TTLs is to preset the 
passphrase,
+which avoids using pinentry mechanism completely, and will be reset on logout.
+
+# Find the "gpg-preset-passphrase" program. It is not on the PATH by default.
+$ find / -name gpg-preset-passphrase
+# Make sure you have the "allow-preset-passphrase" line  in your 
$HOME/.gnupg/gpg-agent.conf
+# Restart gpg
+$ gpgconf --kill all && gpg-connect-agent /bye
+# List your keys with key grip
+$ gpg --with-keygrip --list-secret-keys
+# Preset the passphrase for your signing key
+# </full/path/to/>/gpg-preset-passphrase -P <the passphrase> -c <the keygrip>
+# Check that the passphrase is successfully preset. There should be a '1' at 
the fourth position
+# after the keygrip for your key in the output for the signing key
+$ gpg-connect-agent 'keyinfo --list' /bye
+# Run the release script (see above)
+# Restart the gpg agent again to make sure it forgets the preset passphrase
+$ gpgconf --kill all && gpg-connect-agent /bye
+
 Running a build on GCE is easy enough. Here are some notes if of use.
 Create an instance. 4CPU/15G/10G disk seems to work well enough.
 Once up, run the below to make your machine fit for RC building:

Reply via email to