Add signing support in publish command

Using both gpg and bouncycastle

Author: alexarchambault

build.sc

@@ -317,6 +317,8 @@ class Core(val crossScalaVersion: String) extends BuildLikeModule {
          |
          |  def defaultGraalVMJavaVersion = ${deps.graalVmJavaVersion}
          |  def defaultGraalVMVersion = "${deps.graalVmVersion}"
+         |
+         |  def scalaCliSigningVersion = "${Deps.signingCli.dep.version}"
          |}
          |""".stripMargin
     if (!os.isFile(dest) || os.read(dest) != code)
@@ -391,7 +393,10 @@ class Options(val crossScalaVersion: String) extends BuildLikeModule {
     super.scalacOptions() ++ asyncScalacOptions(scalaVersion())
   }
 
-  def ivyDeps = super.ivyDeps() ++ Agg(Deps.bloopConfig)
+  def ivyDeps = super.ivyDeps() ++ Agg(
+    Deps.bloopConfig,
+    Deps.signingCliShared
+  )
 
   object test extends Tests {
     // uncomment below to debug tests in attach mode on 5005 port
@@ -470,9 +475,15 @@ class Build(val crossScalaVersion: String) extends BuildLikeModule {
 }
 
 trait CliOptions extends SbtModule with ScalaCliPublishModule with settings.ScalaCliCompile {
-  def ivyDeps =
-    super.ivyDeps() ++ Agg(Deps.caseApp, Deps.jsoniterCore, Deps.jsoniterMacros, Deps.osLib)
+  def ivyDeps = super.ivyDeps() ++ Agg(
+    Deps.caseApp,
+    Deps.jsoniterCore,
+    Deps.jsoniterMacros,
+    Deps.osLib,
+    Deps.signingCliShared
+  )
   def scalaVersion = Scala.defaultInternal
+  def repositories = super.repositories ++ customRepositories
 }
 
 trait Cli extends SbtModule with CliLaunchers with ScalaCliPublishModule with FormatNativeImageConf
@@ -501,6 +512,7 @@ trait Cli extends SbtModule with CliLaunchers with ScalaCliPublishModule with Fo
     Deps.jniUtils,
     Deps.jsoniterCore,
     Deps.scalaPackager,
+    Deps.signingCli,
     Deps.metaconfigTypesafe
   )
   def compileIvyDeps = super.compileIvyDeps() ++ Agg(
@@ -535,15 +547,22 @@ trait CliIntegrationBase extends SbtModule with ScalaCliPublishModule with HasTe
     super.scalacOptions() ++ Seq("-Xasync", "-Ywarn-unused", "-deprecation")
   }
 
-  def sources = T.sources {
+  def modulesPath = T {
     val name                = mainArtifactName().stripPrefix(prefix)
     val baseIntegrationPath = os.Path(millSourcePath.toString.stripSuffix(name))
-    val modulesPath = os.Path(
+    val p = os.Path(
       baseIntegrationPath.toString.stripSuffix(baseIntegrationPath.baseName)
     )
-    val mainPath = PathRef(modulesPath / "integration" / "src" / "main" / "scala")
+    PathRef(p)
+  }
+  def sources = T.sources {
+    val mainPath = PathRef(modulesPath().path / "integration" / "src" / "main" / "scala")
     super.sources() ++ Seq(mainPath)
   }
+  def resources = T.sources {
+    val mainPath = PathRef(modulesPath().path / "integration" / "src" / "main" / "resources")
+    super.resources() ++ Seq(mainPath)
+  }
 
   def ivyDeps = super.ivyDeps() ++ Agg(
     Deps.osLib
@@ -566,15 +585,23 @@ trait CliIntegrationBase extends SbtModule with ScalaCliPublishModule with HasTe
       "SCALA_CLI_TMP"  -> tmpDirBase().path.toString,
       "CI"             -> "1"
     )
+    private def updateRef(name: String, ref: PathRef): PathRef = {
+      val rawPath = ref.path.toString.replace(
+        File.separator + name + File.separator,
+        File.separator
+      )
+      PathRef(os.Path(rawPath))
+    }
     def sources = T.sources {
       val name = mainArtifactName().stripPrefix(prefix)
       super.sources().flatMap { ref =>
-        val rawPath = ref.path.toString.replace(
-          File.separator + name + File.separator,
-          File.separator
-        )
-        val base = PathRef(os.Path(rawPath))
-        Seq(base, ref)
+        Seq(updateRef(name, ref), ref)
+      }
+    }
+    def resources = T.sources {
+      val name = mainArtifactName().stripPrefix(prefix)
+      super.resources().flatMap { ref =>
+        Seq(updateRef(name, ref), ref)
       }
     }
 

modules/cli-options/src/main/scala/scala/cli/commands/PublishOptions.scala

@@ -2,6 +2,9 @@ package scala.cli.commands
 
 import caseapp._
 
+import scala.cli.internal.PasswordOptionParsers._
+import scala.cli.signing.shared.PasswordOption
+
 // format: off
 final case class PublishOptions(
   @Recurse
@@ -65,7 +68,36 @@ final case class PublishOptions(
 
   @Group("Publishing")
   @HelpMessage("Whether to build and publish source JARs")
-    sources: Option[Boolean] = None
+    sources: Option[Boolean] = None,
+
+  @Group("Publishing")
+  @HelpMessage("ID of the GPG key to use to sign artifacts")
+  @ValueDescription("key-id")
+  @ExtraName("K")
+    gpgKey: Option[String] = None,
+
+  @Group("Publishing")
+  @HelpMessage("Secret key to use to sign artifacts with BouncyCastle")
+  @ValueDescription("path")
+    secretKey: Option[String] = None,
+
+  @Group("Publishing")
+  @HelpMessage("Password of secret key to use to sign artifacts with BouncyCastle")
+  @ValueDescription("value:…")
+  @ExtraName("secretKeyPass")
+    secretKeyPassword: Option[PasswordOption] = None,
+
+  @Group("Publishing")
+  @HelpMessage("Method to use to sign artifacts")
+  @ValueDescription("gpg|bc")
+    signer: Option[String] = None,
+
+  @Group("Publishing")
+  @HelpMessage("gpg command-line options")
+  @ValueDescription("argument")
+  @ExtraName("G")
+  @ExtraName("gpgOpt")
+    gpgOption: List[String] = Nil
 )
 // format: on
 

modules/cli-options/src/main/scala/scala/cli/internal/PasswordOptionParsers.scala

@@ -0,0 +1,44 @@
+package scala.cli.internal
+
+import caseapp.core.argparser.{ArgParser, SimpleArgParser}
+import com.github.plokhotnyuk.jsoniter_scala.core._
+import com.github.plokhotnyuk.jsoniter_scala.macros._
+
+import scala.cli.signing.shared.{PasswordOption, Secret}
+
+abstract class LowPriorityPasswordOptionParsers {
+
+  private lazy val commandCodec: JsonValueCodec[List[String]] =
+    JsonCodecMaker.make
+
+  implicit lazy val argParser: ArgParser[PasswordOption] =
+    SimpleArgParser.from("password") { str =>
+      if (str.startsWith("value:"))
+        Right(PasswordOption.Value(Secret(str.stripPrefix("value:"))))
+      else if (str.startsWith("command:["))
+        try {
+          val command = readFromString(str.stripPrefix("command:"))(commandCodec)
+          Right(PasswordOption.Command(command))
+        }
+        catch {
+          case e: JsonReaderException =>
+            Left(caseapp.core.Error.Other(s"Error decoding password command: ${e.getMessage}"))
+        }
+      else if (str.startsWith("command:")) {
+        val command = str.stripPrefix("command:").split("\\s+").toSeq
+        Right(PasswordOption.Command(command))
+      }
+      else
+        Left(caseapp.core.Error.Other("Malformed password value (expected \"value:...\")"))
+    }
+
+}
+
+object PasswordOptionParsers extends LowPriorityPasswordOptionParsers {
+
+  implicit lazy val optionArgParser: ArgParser[Option[PasswordOption]] =
+    SimpleArgParser.from("password") { str =>
+      if (str.trim.isEmpty) Right(None)
+      else argParser(None, -1, -1, str).map(Some(_))
+    }
+}

modules/cli/src/main/java/scala/cli/commands/pgp/PgpCommandsSubst.java

@@ -0,0 +1,22 @@
+package scala.cli.commands.pgp;
+
+import com.oracle.svm.core.annotate.Substitute;
+import com.oracle.svm.core.annotate.TargetClass;
+import scala.cli.commands.ScalaCommand;
+import scala.cli.commands.pgp.ExternalCommand;
+
+@TargetClass(className = "scala.cli.commands.pgp.PgpCommands")
+final class PgpCommandsSubst {
+  @Substitute
+  ScalaCommand<?>[] allScalaCommands() {
+    return new ScalaCommand<?>[0];
+  }
+  @Substitute
+  ExternalCommand[] allExternalCommands() {
+    return new ExternalCommand[] {
+      new PgpCreateExternal(),
+      new PgpSignExternal(),
+      new PgpVerifyExternal()
+    };
+  }
+}

modules/cli/src/main/java/scala/cli/internal/BouncycastleSignerMakerSubst.java

@@ -0,0 +1,27 @@
+package scala.cli.internal;
+
+import com.oracle.svm.core.annotate.Substitute;
+import com.oracle.svm.core.annotate.TargetClass;
+import coursier.publish.signing.Signer;
+
+import java.nio.file.Path;
+import java.util.function.Supplier;
+
+import scala.build.Logger;
+import scala.cli.publish.BouncycastleExternalSigner$;
+import scala.cli.signing.shared.PasswordOption;
+
+@TargetClass(className = "scala.cli.publish.BouncycastleSignerMaker")
+final class BouncycastleSignerMakerSubst {
+
+  @Substitute
+  Signer get(PasswordOption passwordOrNull, Path secretKey, Supplier<Path> launcher, Logger logger) {
+    return BouncycastleExternalSigner$.MODULE$.apply(secretKey, passwordOrNull, launcher.get(), logger);
+  }
+
+  @Substitute
+  void maybeInit() {
+    // do nothing
+  }
+
+}

modules/cli/src/main/scala/scala/cli/ScalaCli.scala

@@ -9,6 +9,7 @@ import java.nio.charset.StandardCharsets
 import scala.build.internal.Constants
 import scala.cli.internal.Argv0
 import scala.cli.launcher.{LauncherCli, LauncherOptions}
+import scala.cli.publish.BouncycastleSignerMaker
 import scala.util.Properties
 
 object ScalaCli {
@@ -129,6 +130,8 @@ object ScalaCli {
     val (systemProps, scalaCliArgs) = partitionArgs(remainingArgs)
     setSystemProps(systemProps)
 
+    (new BouncycastleSignerMaker).maybeInit()
+
     CacheUrl.setupProxyAuth()
 
     // Getting killed by SIGPIPE quite often when on musl (in the "static" native

modules/cli/src/main/scala/scala/cli/ScalaCliCommands.scala

@@ -6,6 +6,7 @@ import caseapp.core.help.{Help, RuntimeCommandsHelp}
 import java.nio.file.InvalidPathException
 
 import scala.cli.commands._
+import scala.cli.commands.pgp.PgpCommands
 
 class ScalaCliCommands(
   val progName: String,
@@ -14,6 +15,8 @@ class ScalaCliCommands(
 
   lazy val actualDefaultCommand = new Default(help)
 
+  private def pgpCommands = new PgpCommands
+
   private def allCommands = Seq[ScalaCommand[_]](
     new About(isSipScala = isSipScala),
     AddPath,
@@ -39,9 +42,11 @@ class ScalaCliCommands(
     Test,
     Update,
     Version
-  )
+  ) ++ pgpCommands.allScalaCommands
 
-  def commands = allCommands.filter(c => !isSipScala || c.inSipScala)
+  def commands =
+    allCommands.filter(c => !isSipScala || c.inSipScala) ++
+      pgpCommands.allExternalCommands
 
   override def description =
     "Scala CLI is a command-line tool to interact with the Scala language. It lets you compile, run, test, and package your Scala code."