checkPgpSignatures java.lang.IllegalArgumentException

[sebastianvoss]

When executing sbt checkPgpSignatures I get java.lang.IllegalArgumentException errors. Is there anything I'm missing? This is also happening when executing in the sbt-pgp repository.

[error] (sbt-pgp/*:updatePgpSignatures) java.lang.IllegalArgumentException: Cannot add artifact 'sbt-pgp_2.10.jar' to configuration 'compile' of module com.jsuereth#sbt-pgp_2.10;1.0-362db608157e066125b850127da6babbae08482b because this configuration doesn't exist!
[error] (library/*:updatePgpSignatures) java.lang.IllegalArgumentException: Cannot add artifact 'pgp-library_2.10.jar' to configuration 'compile' of module com.jsuereth#pgp-library_2.10;1.0-362db608157e066125b850127da6babbae08482b because this configuration doesn't exist!
[error] (plugin/*:updatePgpSignatures) java.lang.IllegalArgumentException: Cannot add artifact 'sbt-pgp.jar' to configuration 'compile' of module com.jsuereth#sbt-pgp;1.0-362db608157e066125b850127da6babbae08482b because this configuration doesn't exist!

[jamesward]

Switching to the 2.0.0-M2 release resolves this for me.

[robstoll]

still happens with 2.2.1 :(

[sageserpent-open]

I'm seeing this too, I've made a minimal reproduction on a branch in the Americium repository: https://github.com/sageserpent-open/americium/tree/being-for-the-benefit-of-issue-129.

Git commit in that repository: ba06422.

I tried various versions of sbt-pgp, including some from before the cutover to the new coordinates in Sonatype / Maven Central, but the same problem keeps occurring.

I'm using addSbtPlugin("com.github.sbt" % "sbt-pgp" % "2.2.1") for the published reproduction, SBT is configured to use sbt.version=1.10.1.

The minimal build.sbt is:

lazy val settings = Seq()

lazy val troublesome = (project in file("."))
  .settings(settings: _*)

Debugging SBT, I notice that there is just one configuration for default, whereas the plugin drives the code in DefaultModuleDescriptor.addArtifact to use the (non-existent) pom configuration at the point where the exception is thrown.

The configuration is obtained from the relevant artifacts associated with the module troublesome (see the Vector entries):

artifacts = {Vector@11770} size = 4
 0 = {Artifact@11780} Artifact(troublesome_2.12, pom, pom, None, Vector(pom), None, Map(), None, false)
 1 = {Artifact@11781} Artifact(troublesome_2.12, jar, jar, None, Vector(compile), None, Map(), None, false)
 2 = {Artifact@11782} Artifact(troublesome_2.12, src, jar, Some(sources), Vector(compile), None, Map(), None, false)
 3 = {Artifact@11783} Artifact(troublesome_2.12, doc, jar, Some(javadoc), Vector(compile), None, Map(), None, false)

I tried mindlessly debugging through running the clean task versus checkPgpSignatures, one obvious difference is how the configurations are populated - the clean task seems to pick up the ivyConfigurations
SBT setting (in Defaults.moduleSettings0) to add in the usual configurations - compile, runtime, test ... pom etc.

The checkPgpSignatures task uses another code path in the sbt-pgp plugin to build an inline configuration that appears to be driven by the updatePgpSignatures / signaturesModule SBT setting, tweaked by the plugin in PgpSettings.verifySettings to use Configurations.default as the sole configuration. Hence the downstream exception.

[sageserpent-open]

Emboldened, I tried tweaking updatePgpSignatures / signaturesModule in a follow-on commit 075b38 in the Americium repository.

This adds (updatePgpSignatures / signaturesModule) := GetSignaturesModule(projectID.value, libraryDependencies.value, Configurations.Default :: Configurations.Pom :: Configurations.Compile :: Nil) to the project settings.

I now see this when running the checkPgpSignatures task:

[info] welcome to sbt 1.10.1 (Oracle Corporation Java 21.0.1)
[info] loading global plugins from /Users/gerardmurphy/.sbt/1.0/plugins
[info] loading settings for project americium-build from plugins.sbt ...
[info] loading project definition from /Users/gerardmurphy/IdeaProjects/americium/project
[info] loading settings for project troublesome from build.sbt ...
[info] set current project to troublesome (in build file:/Users/gerardmurphy/IdeaProjects/americium/)
[info] sbt server started at local:///Users/gerardmurphy/.sbt/1.0/server/266500c14e9ac25c8293/sock
[info] started sbt server
sbt:troublesome> checkPgpSignatures
[info] ----- PGP Signature Results -----
[info]   org.scala-lang : scala-library : 2.12.19 : jar   [BAD]
[error] stack trace is suppressed; run last checkPgpSignatures for the full output
[error] (checkPgpSignatures) Some artifacts have bad signatures or are signed by untrusted sources!
[error] Total time: 0 s, completed 31 Aug 2024, 12:45:33
sbt:troublesome> 

Not sure about the result for the scala library, but at least the task completes now! This last one was simply down to my not having populated the ~/.sbt/gpg/pubring.asc public key ring, so ignore that.