The files in this package-manager-configs folder should be deployed to the associated repository. The deployment of these files is a one-time operation. These files make it easier for users to set up their local machine to use our installer repositories.
Production: The production files have been deployed to repo.sonatype.com
in the community-hosted
raw repository.
-
Generation (mac os):
$ gpg --gen-key gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. ... Real name: Sonatype Community PGP Email address: [email protected] You selected this USER-ID: "Sonatype Community PGP <[email protected]>" ... gpg: revocation certificate stored as '/.../.gnupg/openpgp-revocs.d/80900DA1952D7C7968F3CFD98C79C4D0382A0E3A.rev' public and secret key created and signed. pub rsa2048 2020-05-01 [SC] [expires: 2022-05-01] 80900DA1952D7C7968F3CFD98C79C4D0382A0E3A uid Sonatype Community PGP <[email protected]> sub rsa2048 2020-05-01 [E] [expires: 2022-05-01]
Remember to securely store the password and revoke-cert.rev.txt
-
Publish the key (see update notes for current command):
$ gpg --keyserver hkp://yaddayadda --send-keys 80900DA1952D7C7968F3CFD98C79C4D0382A0E3A gpg: sending key 8C79C4D0382A0E3A to hkp://yaddayadda
The GPG key used to sign rpms will eventually expire and need to be renewed. First, sanity check your local key store via:
$ gpg --list-keys
...
pub rsa2048 2020-05-01 [SC] [expires: 2024-05-17]
80900DA1952D7C7968F3CFD98C79C4D0382A0E3A
uid [ultimate] Sonatype Community PGP <[email protected]>
sub rsa2048 2020-05-01 [E] [expires: 2024-05-17]
...
You might need to import the GPG key to your local keystore. The steps below show how to update and republish the Sonatype Community PGP key.
-
Update the key.
$ gpg --edit-key 80900DA1952D7C7968F3CFD98C79C4D0382A0E3A gpg (GnuPG) 2.3.4; Copyright (C) 2021 Free Software Foundation, Inc. ... sec rsa2048/8C79C4D0382A0E3A created: 2020-05-01 expired: 2022-05-01 usage: SC trust: ultimate validity: expired ssb rsa2048/23A79D104345474C created: 2020-05-01 expired: 2022-05-01 usage: E [ expired] (1). Sonatype Community PGP <[email protected]> gpg> 1 sec rsa2048/8C79C4D0382A0E3A created: 2020-05-01 expired: 2022-05-01 usage: SC trust: ultimate validity: expired ssb rsa2048/23A79D104345474C created: 2020-05-01 expired: 2022-05-01 usage: E [ expired] (1)* Sonatype Community PGP <[email protected]> gpg> expire Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key expires at Fri May 17 16:45:08 2024 EDT Is this correct? (y/N) y sec rsa2048/8C79C4D0382A0E3A created: 2020-05-01 expires: 2024-05-17 usage: SC trust: ultimate validity: ultimate ssb rsa2048/23A79D104345474C created: 2020-05-01 expired: 2022-05-01 usage: E [ultimate] (1)* Sonatype Community PGP <[email protected]> gpg: WARNING: Your encryption subkey expires soon. gpg: You may want to change its expiration date too. gpg> save
-
Publish the updated key:
gpg --keyserver pgp.mit.edu --send-keys 80900DA1952D7C7968F3CFD98C79C4D0382A0E3A gpg: sending key 8C79C4D0382A0E3A to hkp://pgp.mit.edu gpg --keyserver keyserver.ubuntu.com --send-keys 80900DA1952D7C7968F3CFD98C79C4D0382A0E3A gpg: sending key 8C79C4D0382A0E3A to hkp://keyserver.ubuntu.com
-
To use the updated key for rpm signing during CI builds, you need to export the private key in base64 (e.g. CircleCI env var: SECRING_GPG_ASC_BASE64). Use the key id (not email address) when exporting.
gpg --no-default-keyring --armor --export-secret-key 80900DA1952D7C7968F3CFD98C79C4D0382A0E3A | base64
Securely store this value.
-
Update the public key files in our public repository.
- Export the public key. Use the key id (not email address) when exporting.
gpg --output RPM-GPG-KEY-Sonatype.asc --armor --export 80900DA1952D7C7968F3CFD98C79C4D0382A0E3A
- Upload that file to the community-hosted raw repository, specifically:
- Export the public key. Use the key id (not email address) when exporting.
-
Update the private signing key in the Apt repository configuration of Nexus Repository Manager. You will need the PGP key password for this step. The command below will put the private key into your clipboard, so you can paste it into the Nexus Repository Manager Apt config Signing Key field.
gpg --no-default-keyring --armor --export-secret-key 80900DA1952D7C7968F3CFD98C79C4D0382A0E3A | pbcopy
Put the passphrase for the above private signing key into the Passphrase field of Nexus Repository Manager Apt config.