Github actions gpg decrypt results in an error (gpg: no valid OpenPGP data found.)

Asked 30/6, 2020 at 14:20 Answered 17/6, 2024 at 22:17

I'm building an Android apk using Github actions, and I need to use the Android sign key in order to sign it before releasing it.

To do so I'm using the technic described here with GPG to encrypt the release key as base64 string, and use it as a secret in Github actions.

Then, inside my workflow, I use GPG to decrypt it back into the key file.

However, this process that works fine on my mac, is failing in Github actions.

Running this

- name: Decode keystore file
      run: |
        echo "${{ secrets.KEY_STORE }}" > release.keystore.asc
        gpg -d --passphrase "${{ secrets.KEY_STORE_PASSPHRASE }}" --batch release.keystore.asc > signing-key.jks

results in this

gpg: directory '/home/runner/.gnupg' created
gpg: keybox '/home/runner/.gnupg/pubring.kbx' created
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: Unknown system error
##[error]Process completed with exit code 2.

Running sudo apt-get install ca-certificates before using GPG is at no help either, since it says that it's already installed.

Any ideas?

Beadroll answered 30/6, 2020 at 14:20 Comment(0)

It seems release.keystore.asc contains invalid PGP data or no data at all. First, I would check the content of a release.keystore.asc. You can upload the file as an artifact then download it to examine its contents. Modify the workflow by adding the upload-artifact action step after Decode keystore file step

- name: Decode keystore file
  run: |
    echo "${{ secrets.KEY_STORE }}" > release.keystore.asc
    gpg -d --passphrase "${{ secrets.KEY_STORE_PASSPHRASE }}" --batch release.keystore.asc > signing-key.jks
- uses: actions/upload-artifact@v2
  if: failure()
  with:
    name: release.keystore.asc
    path: release.keystore.asc

Now you can download the release.keystore.asc artifact (it will be zipped so you have to unzip it) and check if the file contains valid PGP data (the file should start with -----BEGIN PGP MESSAGE----- and end with -----END PGP MESSAGE----- and contain valid encrypted PGP content between). If it does not then it means KEY_STORE secret contains invalid data.

Cloistered answered 7/7, 2020 at 10:44 Comment(0)

I was getting same error. I made a silly mistake, not sure if you also made same. while copying the base 64 key store string to git secret, I was only copying the base64 string and not the whole file. i.e. whole .asc file is like this:

-----BEGIN PGP MESSAGE-----
**base64 string here**
-----END PGP MESSAGE-----

You need to copy this whole file content (including BEGIN PGP and END PGP message). This solved my problem.

Humanly answered 18/9, 2021 at 15:12 Comment(0)

-1

For us, this turned out to be that the file wasn't actually encrypted!

Festoonery answered 17/6, 2024 at 22:17 Comment(1)

This should be a comment rather than an answer – Heterozygous 19/6, 2024 at 9:58

Recommended topics

Hot tags