python-3.xgnupgprivate-keycirclecipassphrase

Error "gpg: decryption failed: No secret key" when using Blackbox in job Circle Ci


I have this workflow/job Circle Ci:

build:
docker:
  - image: circleci/python:3.7
environment:
  PIPENV_VENV_IN_PROJECT: true

steps:
  - checkout
#other stuff here ->  installing dependencies
  - run:
      name: Running blackbox
      command: |
        git clone https://github.com/StackExchange/blackbox.git
        cd blackbox && sudo make symlinks-install && cd ..
        echo "Importing key"
        echo -e "$GPG_KEY_CI" | gpg --import
        blackbox_postdeploy

I'm got stuck almost 3 hours the error "gpg: decryption failed: No secret key" when pipeline is running. I have set GPG_KEY_CI as a environment variable on Circle Ci, and I did some tests as "echo gpg --list-secret-keys" in order to check if the secret key (private key) was imported. So, everything looks correct.

Here is the output:

Cloning into 'blackbox'...
remote: Enumerating objects: 18, done.
remote: Counting objects: 100% (18/18), done.
remote: Compressing objects: 100% (16/16), done.
remote: Total 2151 (delta 6), reused 7 (delta 2), pack-reused 2133
Receiving objects: 100% (2151/2151), 617.31 KiB | 1.10 MiB/s, done.
Resolving deltas: 100% (1369/1369), done.
Symlinking files from ./bin to /usr/local/bin
Done.
Importing key
gpg: directory '/home/circleci/.gnupg' created
gpg: keybox '/home/circleci/.gnupg/pubring.kbx' created
gpg: /home/circleci/.gnupg/trustdb.gpg: trustdb created
gpg: key 9FxxxxxxxxxxxxD9: public key "Circle Ci <xxxxxxxxxx@gmail.com>" imported
gpg: key 9FxxxxxxxxxxxxD9: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
========== Importing keychain: START
gpg: Total number processed: 1
gpg:              unchanged: 1
========== Importing keychain: DONE
========== Decrypting new/changed files: START
gpg: decryption failed: No secret key

Solution

  • After 3 hours I have realized that the exported key was with a passphrase protecting the private key. So, a just export again the private key following this steps:

    1) First list the keys to get the fingerprint:

    >> gpg --list-secret-keys
    
    /Users/xxxxxx/.gnupg/pubring.kbx
    --------------------------------
    
    sec   rsa2048 2019-11-16 [SC] [expires: 2021-11-15]
          FED8634xxxxxxxxxxxxxxxxxxxxxx1E4C7020D9 <====== fingerprint
    uid           [ultimate] Circle Ci <xxxx+circleci@gmail.com>
    ssb   rsa2048 2019-11-16 [E] [expires: 2021-11-15]
    

    2) Remove the pass from your private key. When GnuPG prompts for the new passphrase, just leave it blank and hit enter (twice):

    >> gpg --edit-key <fingerprint>
    passwd
    save
    

    3) Export again the private key to clipboard (pbcopy copies the stdin to the clipboard):

    >> gpg -a --export-secret-keys <fingerprint> | cat -e | sed 's/\$/\\n/g' | pbcopy
    

    4) Replace the key on Circle Ci Environment Variables