RUM-3104 generate verification-metadata with pgp information

Author: xgouchet

.gitlab-ci.yml

@@ -63,6 +63,7 @@ stages:
     - export GPG_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.gpg_passphrase --with-decryption --query "Parameter.Value" --out text)
     - export OSSRH_USERNAME=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.ossrh_username --with-decryption --query "Parameter.Value" --out text)
     - export OSSRH_PASSWORD=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.ossrh_password --with-decryption --query "Parameter.Value" --out text)
+    - export GPG_PUBLIC_FINGERPRINT=$(aws ssm get-parameter --region us-east-1 --name ci.dd-sdk-android.signing.gpg_public_key --with-decryption --query "Parameter.Value" --out text | gpg --import --import-options show-only | grep -E -o -e "[A-F0-9]{40}")
 
 # CI IMAGE
 

buildSrc/src/main/kotlin/com/datadog/gradle/plugin/verification/GenerateVerificationXmlTask.kt

@@ -37,40 +37,39 @@ open class GenerateVerificationXmlTask : DefaultTask() {
         val pomFile = File(publicationReleaseDir, "pom-default.xml")
         val moduleFile = File(publicationReleaseDir, "module.json")
 
-        val aarSha256 = aarFile.sha256()
-        val pomSha256 = pomFile.sha256()
-        val moduleSha256 = moduleFile.sha256()
+        val filesWithExt = mapOf(
+            aarFile to "aar",
+            pomFile to "pom",
+            moduleFile to "module"
+        )
+
+        val publicKey = System.getenv("GPG_PUBLIC_FINGERPRINT")
+        val hasPublicKey = !publicKey.isNullOrBlank()
 
         val content = xml(TAG_ROOT) {
             xmlns = NS_DEPS_VERIF
             TAG_CONFIGURATION {
-                TAG_VERIF_METADATA { -true.toString() }
-                TAG_VERIF_SIGNATURE { -false.toString() } // TODO RUM-3104 add signature verification
+                TAG_VERIF_METADATA { text(true.toString()) }
+                TAG_VERIF_SIGNATURES { text(hasPublicKey.toString()) }
             }
             TAG_COMPONENTS {
                 TAG_COMPONENT {
                     attribute(ATTR_GROUP, project.group)
                     attribute(ATTR_NAME, project.name)
                     attribute(ATTR_VERSION, AndroidConfig.VERSION.name)
-                    TAG_ARTIFACT {
-                        attribute(ATTR_NAME, "${project.name}-${AndroidConfig.VERSION.name}.aar")
-                        TAG_SHA256 {
-                            attribute(ATTR_VALUE, aarSha256)
-                            attribute(ATTR_ORIGIN, ORIGIN)
-                        }
-                    }
-                    TAG_ARTIFACT {
-                        attribute(ATTR_NAME, "${project.name}-${AndroidConfig.VERSION.name}.pom")
-                        TAG_SHA256 {
-                            attribute(ATTR_VALUE, pomSha256)
-                            attribute(ATTR_ORIGIN, ORIGIN)
-                        }
-                    }
-                    TAG_ARTIFACT {
-                        attribute(ATTR_NAME, "${project.name}-${AndroidConfig.VERSION.name}.module")
-                        TAG_SHA256 {
-                            attribute(ATTR_VALUE, moduleSha256)
-                            attribute(ATTR_ORIGIN, ORIGIN)
+
+                    filesWithExt.forEach { (file, ext) ->
+                        TAG_ARTIFACT {
+                            attribute(ATTR_NAME, "${project.name}-${AndroidConfig.VERSION.name}.$ext")
+                            TAG_SHA256 {
+                                attribute(ATTR_VALUE, file.sha256())
+                                attribute(ATTR_ORIGIN, ORIGIN)
+                            }
+                            if (hasPublicKey) {
+                                TAG_PGP {
+                                    attribute(ATTR_VALUE, publicKey)
+                                }
+                            }
                         }
                     }
                 }
@@ -104,10 +103,11 @@ open class GenerateVerificationXmlTask : DefaultTask() {
         private const val TAG_ROOT = "verification-metadata"
         private const val TAG_CONFIGURATION = "configuration"
         private const val TAG_VERIF_METADATA = "verify-metadata"
-        private const val TAG_VERIF_SIGNATURE = "verify-signature"
+        private const val TAG_VERIF_SIGNATURES = "verify-signatures"
         private const val TAG_COMPONENTS = "components"
         private const val TAG_COMPONENT = "component"
         private const val TAG_SHA256 = "sha256"
+        private const val TAG_PGP = "pgp"
 
         private const val TAG_ARTIFACT = "artifact"
         private const val ATTR_GROUP = "group"
@@ -116,6 +116,6 @@ open class GenerateVerificationXmlTask : DefaultTask() {
         private const val ATTR_VALUE = "value"
         private const val ATTR_ORIGIN = "origin"
 
-        private const val ORIGIN = "Datadog"
+        private const val ORIGIN = "Datadog official GitHub release"
     }
 }

buildSrc/src/main/kotlin/com/datadog/gradle/plugin/verification/VerificationXmlPlugin.kt

@@ -21,7 +21,7 @@ class VerificationXmlPlugin : Plugin<Project> {
             genTask.dependsOn("sourceReleaseJar")
             genTask.dependsOn("generatePomFileForReleasePublication")
             genTask.dependsOn("generateMetadataFileForReleasePublication")
-            // TODO RUM-3104 depends on "signReleasePublication"
+            genTask.dependsOn("signReleasePublication")
 
             getTasksByName("publishToSonatype", false).forEach {
                 it.dependsOn(genTask)

merge_verification_metadata.py

@@ -37,7 +37,7 @@ def run_main() -> int:
     metadata.text = "true"
     configuration.insert(0, metadata)
     signatures = ET.Element(SIGNATURES_TAG)
-    signatures.text = "false" # TODO RUM-3104 also copy signatures content
+    signatures.text = "true"
     configuration.insert(1, signatures)
     root.insert(0, configuration)