← Misc

Team Scala PGP key

Team Scala PGP key

Team Scala publishes to Sonatype with the following PGP key.

pub   ed25519/0x069CF9A740F07CF1 2024-12-18 [SC] [expired: 2025-12-18]
      Key fingerprint = BB47 11DD 9E47 3110 60FA  0BAF 069C F9A7 40F0 7CF1
uid                   [ expired] Jack Henry Scala Team <scala@noreply.jackhenry.com>

Never mind the “expired”, that’s what we’re going to fix.

Obtaining the secrets

Team Scala does not have an corporate-endorsed secret manager to share the secrets. Contact Pulsar to get the private key and passphrase. They should be in Vault. They are definitely in GitHub under the variables PGP_PASSPHRASE and PGP_SECRET, respectively.

Set them to your environment.

[!TIP] In many shells, if you set it with leading spaces, it won’t be in your history.

$      export PGP_SECRET="not in my history!"

Extending the key

Set up a temporary GPG home

$ export GNUPGHOME=$(mktemp -d)

Import the secret. base64 -d it if and only if it looks like base64. That depends on how Pulsar sent it to you. You’ll be prompted for the $PGP_PASSPHRASE.

$ echo "$PGP_SECRET" | base64 -d | gpg --import
gpg: key 069CF9A740F07CF1: public key "Jack Henry Scala Team <scala@noreply.jackhenry.com>" imported
gpg: key 0x069CF9A740F07CF1: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:  secret keys unchanged: 1

We’ll need the fingerprint of the primary key and the encryption subkey:

$ PRIMARY_FPR=$(gpg -K --with-colons | awk -F: '/^fpr:/ {print $10; exit}')
$ SUB_FPR=$(gpg -K --with-colons | awk -F: '$1 == "ssb" {flag=1} $1 == "fpr" && flag {print $10; flag=0}')

Let’s kick the can down the road far enough that this isn’t a frequent nuisance, but not so far that the people who remember how to do this on Team Scala and Team Pulsar have all retired. 25 months will do.

[!TIP] You might think you can do this as a one-liner with '*' as the final argument, and you’d be right if you’re here before it expired. History strongly suggests you aren’t, and this should work either way.

$ gpg --quick-set-expire "$PRIMARY_FPR" 25m
$ gpg --quick-set-expire "$PRIMARY_FPR" 25m "$SUB_FPR"

Verify our handiwork

No more expiration, and now we should see the previously expired encryption key (the [E]).

$ gpg -k
/var/folders/v6/73j5t1rj6wg4rfc15zqvbk140000gn/T/tmp.pRltdk2b3S/pubring.kbx
---------------------------------------------------------------------------
pub   ed25519 2024-12-18 [SC] [expires: 2028-03-23]
      BB4711DD9E47311060FA0BAF069CF9A740F07CF1
uid           [ unknown] Jack Henry Scala Team <scala@noreply.jackhenry.com>
sub   cv25519 2024-12-18 [E] [expires: 2028-03-23]

Are they comfortably in the future? Good.

Encode the private key

We need to export the updated key, encode it as Base 64 without newlines, and send to our favorite Pulsar teammate.

$ gpg --export-secret-keys "$PRIMARY_FPR" | base64 -w 0 | pbcopy

You might want to share with Backstage. The Base 64 goo is on your clipboard.

Update the GitHub secrets

Pulsar needs to take that base64 goo and make it the PGP_SECRET on all the open source Scala repositories. At time of writing, these are:

  • Banno/kafka4s
  • Banno/semgrep-scalafix
  • Banno/vault4s

Store the secrets for next time

Team Scala has no place to share this secret. Make sure Pulsar knows where to find it. Write it down here, because neither we nor they will remember in 25 months.

[!INFO] @rossabaker, @jmhardison, and @morgen-peschke knew where the bodies were buried in March 2026. If Team Pulsar or new ownership doesn’t know in 2028, start with one of them.

Remove the radioactive waste private key from your computer

Does Pulsar have the private key? Good. Get it the heck off yours.

$ gpg --delete-secret-keys "$PRIMARY_FPR"
gpg (GnuPG) 2.4.9; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  ed25519/069CF9A740F07CF1 2024-12-18 Jack Henry Scala Team <scala@noreply.jackhenry.com>

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
$ gpg -K

Publish the public key

The rest of the world needs to know the expired key is unexpired.

$ gpg --keyserver keys.openpgp.org --send-keys "$PRIMARY_FPR" 
gpg: sending key 069CF9A740F07CF1 to hkp://keys.openpgp.org

Set a reminder to update this

Do it about 24 months from now. Reference this document.