ci: build job fails - GPG signing "no default secret key" #1275
Description
CI run: https://github.com/coder/coder/actions/runs/21086635027
Commit: 4d414a0df79ed37dafff5c9d5951d5799a63d672 ("feat: add --use-parameter-defaults flag") by Asher ash@coder.com
What failed
build job failed (exit code 2) due to GPG signing errors while building slim binaries.
Key log excerpts:
gpg: key 6A5A671B5E40A3B9: secret key imported
...
gpg: no default secret key: No secret key
gpg: signing failed: No secret key
make: *** [Makefile:229: build/coder-slim_2.29.1-devel+4d414a0df_linux_amd64] Error 2
This repeats across multiple targets (linux_amd64, linux_arm64, linux_armv7, darwin_amd64, darwin_arm64, windows_amd64.exe, windows_arm64.exe).
Suspected root cause
scripts/sign_with_gpg.sh imports the release key from CODER_GPG_RELEASE_KEY_BASE64 into a temp GNUPGHOME, then calls:
true | gpg --homedir "$gnupg_home_temp" --detach-sign --armor "$FILE_TO_SIGN"
This uses the default signing key. Despite the import step reporting a secret key imported, signing fails with no default secret key.
Likely causes:
- the imported key is not usable for signing in CI (e.g. passphrase-protected key / stub key / missing secret material)
gpgrequires an explicit--local-user/--default-keyin this environment
Ownership / assignment rationale
The GPG signing path was introduced in:
- PR feat: sign coder binaries with the release key using GPG coder#18774 (merge commit dc0919da332f27364969b9d5be63d8045ca0d993) by
jdomeracki-coder
Suggested next steps
- In
scripts/sign_with_gpg.sh, after import, dumpgpg --list-secret-keys --keyid-format LONGfor debugging (in CI logs). - Consider specifying the signing key explicitly (e.g.
--local-user 6A5A671B5E40A3B9or by fingerprint). - If the key is passphrase-protected, use
--batch --pinentry-mode loopbackand provide a passphrase (or use an unprotected CI-only signing subkey).
Related failures in same run
This run also had lint + offlinedocs failures due to sum.golang.org 500s, but the build failure appears independent.