I have this workflow/job Circle Ci:
build:
docker:
- image: circleci/python:3.7
environment:
PIPENV_VENV_IN_PROJECT: true
steps:
- checkout
#other stuff here -> installing dependencies
- run:
name: Running blackbox
command: |
git clone https://github.com/StackExchange/blackbox.git
cd blackbox && sudo make symlinks-install && cd ..
echo "Importing key"
echo -e "$GPG_KEY_CI" | gpg --import
blackbox_postdeploy
I'm got stuck almost 3 hours the error "gpg: decryption failed: No secret key" when pipeline is running. I have set GPG_KEY_CI as a environment variable on Circle Ci, and I did some tests as "echo gpg --list-secret-keys" in order to check if the secret key (private key) was imported. So, everything looks correct.
Here is the output:
Cloning into 'blackbox'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 2151 (delta 6), reused 7 (delta 2), pack-reused 2133
Receiving objects: 100% (2151/2151), 617.31 KiB | 1.10 MiB/s, done.
Resolving deltas: 100% (1369/1369), done.
Symlinking files from ./bin to /usr/local/bin
Done.
Importing key
gpg: directory '/home/circleci/.gnupg' created
gpg: keybox '/home/circleci/.gnupg/pubring.kbx' created
gpg: /home/circleci/.gnupg/trustdb.gpg: trustdb created
gpg: key 9FxxxxxxxxxxxxD9: public key "Circle Ci <[email protected]>" imported
gpg: key 9FxxxxxxxxxxxxD9: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
========== Importing keychain: START
gpg: Total number processed: 1
gpg: unchanged: 1
========== Importing keychain: DONE
========== Decrypting new/changed files: START
gpg: decryption failed: No secret key
After 3 hours I have realized that the exported key was with a passphrase protecting the private key. So, a just export again the private key following this steps:
1) First list the keys to get the fingerprint:
>> gpg --list-secret-keys
/Users/xxxxxx/.gnupg/pubring.kbx
--------------------------------
sec rsa2048 2019-11-16 [SC] [expires: 2021-11-15]
FED8634xxxxxxxxxxxxxxxxxxxxxx1E4C7020D9 <====== fingerprint
uid [ultimate] Circle Ci <[email protected]>
ssb rsa2048 2019-11-16 [E] [expires: 2021-11-15]
2) Remove the pass from your private key. When GnuPG prompts for the new passphrase, just leave it blank and hit enter (twice):
>> gpg --edit-key <fingerprint>
passwd
save
3) Export again the private key to clipboard (pbcopy copies the stdin to the clipboard):
>> gpg -a --export-secret-keys <fingerprint> | cat -e | sed 's/\$/\\n/g' | pbcopy
4) Replace the key on Circle Ci Environment Variables