travis-build.sh: enable GPG signing if feasible

ctrueden · ctrueden · commit f91eb9b953a6 · 2017-10-17T14:45:33.000-05:00
If signingkey.asc.enc is present, decrypt it and import it into the
GPG keyring. On the Maven side, if ~/.gnupg exists, activate a profile
setting the gpg.keyname &amp; gpg.passphrase Maven properties to match the
GPG_KEY_NAME and GPG_PASSPHRASE environment variables, respectively.

These changes pave the way for signing build artifacts as needed;
see also the forthcoming add-travis.sh script in this repository.
diff --git a/travis-build.sh b/travis-build.sh
@@ -36,9 +36,34 @@ cat >"$settingsFile" <<EOL
 			<password>${env.OSSRH_PASS}</password>
 		</server>
 	</servers>
+	<profiles>
+		<profile>
+			<id>gpg</id>
+			<activation>
+				<file>
+					<exists>${env.HOME}/.gnupg</exists>
+				</file>
+			</activation>
+			<properties>
+				<gpg.keyname>${env.GPG_KEY_NAME}</gpg.keyname>
+				<gpg.passphrase>${env.GPG_PASSPHRASE}</gpg.passphrase>
+			</properties>
+		</profile>
+	</profiles>
 </settings>
 EOL
 
+# Populate the GPG signing key.
+keyFile=.travis/signingkey.asc
+if [ "$TRAVIS_SECURE_ENV_VARS" = true \
+	-a "$TRAVIS_PULL_REQUEST" = false \
+	-a -f "$keyFile.enc" -a -e "$1" -a -e "$2" ]
+then
+	echo "== Decrypting GPG keypair =="
+	openssl aes-256-cbc -K "$1" -iv "$2" -in "$keyFile.enc" -out "$keyFile" -d &&
+	gpg --batch --fast-import "$keyFile" --passphrase "$GPG_PASSPHRASE"
+fi
+
 # Run the build.
 if [ "$TRAVIS_SECURE_ENV_VARS" = true \
 	-a "$TRAVIS_PULL_REQUEST" = false \
