Error “gpg: decryption failed: No secret key” when using Blackbox in job Circle Ci

1
votes

I have this workflow/job Circle Ci:

build:
docker:
  - image: circleci/python:3.7
environment:
  PIPENV_VENV_IN_PROJECT: true

steps:
  - checkout
#other stuff here ->  installing dependencies
  - run:
      name: Running blackbox
      command: |
        git clone https://github.com/StackExchange/blackbox.git
        cd blackbox && sudo make symlinks-install && cd ..
        echo "Importing key"
        echo -e "$GPG_KEY_CI" | gpg --import
        blackbox_postdeploy

I'm got stuck almost 3 hours the error "gpg: decryption failed: No secret key" when pipeline is running. I have set GPG_KEY_CI as a environment variable on Circle Ci, and I did some tests as "echo gpg --list-secret-keys" in order to check if the secret key (private key) was imported. So, everything looks correct.

Here is the output:

Cloning into 'blackbox'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 2151 (delta 6), reused 7 (delta 2), pack-reused 2133
Receiving objects: 100% (2151/2151), 617.31 KiB | 1.10 MiB/s, done.
Resolving deltas: 100% (1369/1369), done.
Symlinking files from ./bin to /usr/local/bin
Done.
Importing key
gpg: directory '/home/circleci/.gnupg' created
gpg: keybox '/home/circleci/.gnupg/pubring.kbx' created
gpg: /home/circleci/.gnupg/trustdb.gpg: trustdb created
gpg: key 9FxxxxxxxxxxxxD9: public key "Circle Ci <[email protected]>" imported
gpg: key 9FxxxxxxxxxxxxD9: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
========== Importing keychain: START
gpg: Total number processed: 1
gpg:              unchanged: 1
========== Importing keychain: DONE
========== Decrypting new/changed files: START
gpg: decryption failed: No secret key
1
python-3.xgnupgprivate-keycirclecipassphrase

1 Answers

1
votes

After 3 hours I have realized that the exported key was with a passphrase protecting the private key. So, a just export again the private key following this steps:

1) First list the keys to get the fingerprint:

>> gpg --list-secret-keys

/Users/xxxxxx/.gnupg/pubring.kbx
--------------------------------

sec   rsa2048 2019-11-16 [SC] [expires: 2021-11-15]
      FED8634xxxxxxxxxxxxxxxxxxxxxx1E4C7020D9 <====== fingerprint
uid           [ultimate] Circle Ci <[email protected]>
ssb   rsa2048 2019-11-16 [E] [expires: 2021-11-15]

2) Remove the pass from your private key. When GnuPG prompts for the new passphrase, just leave it blank and hit enter (twice):

>> gpg --edit-key <fingerprint>
passwd
save

3) Export again the private key to clipboard (pbcopy copies the stdin to the clipboard):

>> gpg -a --export-secret-keys <fingerprint> | cat -e | sed 's/\$/\\n/g' | pbcopy

4) Replace the key on Circle Ci Environment Variables