......@@ -36,7 +36,7 @@ variables:
MAVEN_IMAGE: "maven:3.5.4-jdk-8"
BASH_CURL_IMAGE: "cosmintitei/bash-curl:latest"
MAVEN_CLI_OPTS: "--settings ${CI_GITLAB_PATH}/.m2/settings.xml --batch-mode --errors --show-version"
# OPENSSL_CLI_OPTS: "enc aes-256-cbc -K ${OPENSSL_ENC_KEY} -iv ${OPENSSL_ENC_IV}"
OPENSSL_CLI_OPTS: "enc -aes-256-cbc -K ${OPENSSL_ENC_KEY} -iv ${OPENSSL_ENC_IV}"
GPG_CONF: ".gnupg/gpg.conf"
GPG_AGENT_CONF: ".gnupg/gpg-agent.conf"
# TODO: adjust the line below to refer to the appropriate Okapi project ID.
......@@ -65,10 +65,8 @@ verification:
- ${HOME}/target/
policy: pull
# TODO: make a decision on whether we are going to push to the repo the encrypted gpg key and decrypt it before importing.
# - openssl ${OPENSSL_CLI_OPTS} -d -in ${CI_GITLAB_PATH}/code-signing-key.asc.enc -out ${CI_GITLAB_PATH}/code-signing-key.asc
# - gpg --fast-import ${CI_GITLAB_PATH}/code-signing-key.asc
- echo "${GPG_KEY}" | gpg --batch --armor --import
- openssl ${OPENSSL_CLI_OPTS} -d -in ${CI_GITLAB_PATH}/code-signing-key.asc.enc -out ${CI_GITLAB_PATH}/code-signing-key.asc
- gpg --batch --import ${CI_GITLAB_PATH}/code-signing-key.asc
- echo "use-agent" > ${HOME}/{GPG_CONF}
- echo "pinentry-mode loopback" >> ${HOME}/${GPG_CONF}
- echo "allow-loopback-pinentry" > ${HOME}/${GPG_AGENT_CONF}
......@@ -99,6 +99,8 @@ The following secret variables have to be declared under
`MAVEN_REPO_PASS`: sonatype user's password
`GPG_KEY`: the key for code signing (base64-encoded)
`OPENSSL_ENC_KEY`: the OpenSSL key for decoding the code signing key
`OPENSSL_ENC_IV`: the OpenSSL initialisation vector for decoding the code signing key
`GPG_PASSPHRASE`: the pass-phrase for the code signing key
