[MRESOLVER-301] Addendum (apache#436)

Just simplify, cleanup things, and use fingerprint instead of phased out keyID.

---

https://issues.apache.org/jira/browse/MRESOLVER-301

Author: cstamas

maven-resolver-generator-gnupg/pom.xml

@@ -35,9 +35,8 @@
     <Automatic-Module-Name>org.apache.maven.resolver.generator.gnupg</Automatic-Module-Name>
     <Bundle-SymbolicName>${Automatic-Module-Name}</Bundle-SymbolicName>
 
-    <bouncycastleVersion>1.77</bouncycastleVersion>
-
     <javaVersion>17</javaVersion>
+    <bouncycastleVersion>1.77</bouncycastleVersion>
   </properties>
 
   <dependencies>

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/GnupgConfigurationKeys.java

@@ -45,12 +45,13 @@ private GnupgConfigurationKeys() {}
     public static final boolean DEFAULT_ENABLED = false;
 
     /**
-     * The PGP KeyID, optional. If not set, first secret key found will be used.
+     * The PGP Key fingerprint as hex string (40 characters long), optional. If not set, first secret key found will
+     * be used.
      *
      * @configurationSource {@link RepositorySystemSession#getConfigProperties()}
-     * @configurationType {@link Long}
+     * @configurationType {@link String}
      */
-    public static final String CONFIG_PROP_KEY_ID = CONFIG_PROPS_PREFIX + "keyId";
+    public static final String CONFIG_PROP_KEY_FINGERPRINT = CONFIG_PROPS_PREFIX + "keyFingerprint";
 
     /**
      * The path to the OpenPGP transferable secret key file. If relative, is resolved from local repository root.
@@ -86,7 +87,7 @@ private GnupgConfigurationKeys() {}
     public static final String RESOLVER_GPG_KEY = "RESOLVER_GPG_KEY";
 
     /**
-     * Env variable name to pass in key ID.
+     * Env variable name to pass in key fingerprint (hex encoded, 40 characters long).
      */
-    public static final String RESOLVER_GPG_KEY_ID = "RESOLVER_GPG_KEY_ID";
+    public static final String RESOLVER_GPG_KEY_FINGERPRINT = "RESOLVER_GPG_KEY_FINGERPRINT";
 }

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/GnupgSignatureArtifactGeneratorFactory.java

@@ -27,10 +27,11 @@
 import java.io.UncheckedIOException;
 import java.time.LocalDateTime;
 import java.time.ZoneId;
+import java.util.Arrays;
 import java.util.Collection;
+import java.util.List;
 import java.util.Map;
 import java.util.function.Predicate;
-import java.util.stream.Collectors;
 
 import org.bouncycastle.bcpg.SymmetricKeyAlgorithmTags;
 import org.bouncycastle.openpgp.*;
@@ -65,9 +66,9 @@ default byte[] loadKeyRingMaterial(RepositorySystemSession session) throws IOExc
         }
 
         /**
-         * Returns the key ID, or {@code null}.
+         * Returns the key fingerprint, or {@code null}.
          */
-        default Long loadKeyId(RepositorySystemSession session) throws IOException {
+        default byte[] loadKeyFingerprint(RepositorySystemSession session) throws IOException {
             return null;
         }
 
@@ -93,45 +94,38 @@ public GnupgSignatureArtifactGeneratorFactory(
 
     @Override
     public ArtifactGenerator newInstance(RepositorySystemSession session, InstallRequest request) {
-        return createArtifactGenerator(session, request.getArtifacts());
+        return null;
     }
 
     @Override
     public ArtifactGenerator newInstance(RepositorySystemSession session, DeployRequest request) {
-        return createArtifactGenerator(session, request.getArtifacts());
-    }
-
-    @Override
-    public float getPriority() {
-        return 100;
-    }
-
-    private ArtifactGenerator createArtifactGenerator(RepositorySystemSession session, Collection<Artifact> artifacts) {
         final boolean enabled = ConfigUtils.getBoolean(
                 session, GnupgConfigurationKeys.DEFAULT_ENABLED, GnupgConfigurationKeys.CONFIG_PROP_ENABLED);
         if (!enabled) {
             return null;
         }
 
         try {
-            return doCreateSigner(session, artifacts, artifactPredicateFactory.newInstance(session)::hasChecksums);
+            return doCreateArtifactGenerator(
+                    session, request.getArtifacts(), artifactPredicateFactory.newInstance(session)::hasChecksums);
         } catch (IOException e) {
             throw new UncheckedIOException(e);
         }
     }
 
-    private Collection<Loader> loaders(RepositorySystemSession session) {
-        boolean interactive = ConfigUtils.getBoolean(
-                session, ConfigurationProperties.DEFAULT_INTERACTIVE, ConfigurationProperties.INTERACTIVE);
-        return loaders.values().stream()
-                .filter(l -> interactive || !l.isInteractive())
-                .collect(Collectors.toList());
+    @Override
+    public float getPriority() {
+        return 100;
     }
 
-    private GnupgSignatureArtifactGenerator doCreateSigner(
+    private GnupgSignatureArtifactGenerator doCreateArtifactGenerator(
             RepositorySystemSession session, Collection<Artifact> artifacts, Predicate<Artifact> artifactPredicate)
             throws IOException {
-        Collection<Loader> loaders = loaders(session);
+        boolean interactive = ConfigUtils.getBoolean(
+                session, ConfigurationProperties.DEFAULT_INTERACTIVE, ConfigurationProperties.INTERACTIVE);
+        List<Loader> loaders = this.loaders.values().stream()
+                .filter(l -> interactive || !l.isInteractive())
+                .toList();
 
         byte[] keyRingMaterial = null;
         for (Loader loader : loaders) {
@@ -144,10 +138,10 @@ private GnupgSignatureArtifactGenerator doCreateSigner(
             throw new IllegalArgumentException("Key ring material not found");
         }
 
-        Long keyId = null;
+        byte[] fingerprint = null;
         for (Loader loader : loaders) {
-            keyId = loader.loadKeyId(session);
-            if (keyId != null) {
+            fingerprint = loader.loadKeyFingerprint(session);
+            if (fingerprint != null) {
                 break;
             }
         }
@@ -158,12 +152,10 @@ private GnupgSignatureArtifactGenerator doCreateSigner(
                     new BcKeyFingerprintCalculator());
 
             PGPSecretKey secretKey = null;
-            if (keyId != null) {
-                secretKey = pgpSecretKeyRingCollection.getSecretKey(keyId);
-            } else {
-                for (PGPSecretKeyRing ring : pgpSecretKeyRingCollection) {
-                    for (PGPSecretKey key : ring) {
-                        if (!key.isPrivateKeyEmpty()) {
+            for (PGPSecretKeyRing ring : pgpSecretKeyRingCollection) {
+                for (PGPSecretKey key : ring) {
+                    if (!key.isPrivateKeyEmpty()) {
+                        if (fingerprint == null || Arrays.equals(fingerprint, key.getFingerprint())) {
                             secretKey = key;
                             break;
                         }

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/loaders/GpgConfLoader.java

@@ -26,6 +26,7 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 
+import org.bouncycastle.util.encoders.Hex;
 import org.eclipse.aether.RepositorySystemSession;
 import org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys;
 import org.eclipse.aether.generator.gnupg.GnupgSignatureArtifactGeneratorFactory;
@@ -34,7 +35,7 @@
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import static org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys.CONFIG_PROP_KEY_ID;
+import static org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys.CONFIG_PROP_KEY_FINGERPRINT;
 
 /**
  * Loader that looks for configuration.
@@ -78,10 +79,15 @@ public byte[] loadKeyRingMaterial(RepositorySystemSession session) throws IOExce
     }
 
     @Override
-    public Long loadKeyId(RepositorySystemSession session) {
-        String keyIdStr = ConfigUtils.getString(session, null, CONFIG_PROP_KEY_ID);
-        if (keyIdStr != null) {
-            return Long.parseLong(keyIdStr);
+    public byte[] loadKeyFingerprint(RepositorySystemSession session) {
+        String keyFingerprint = ConfigUtils.getString(session, null, CONFIG_PROP_KEY_FINGERPRINT);
+        if (keyFingerprint != null) {
+            if (keyFingerprint.trim().length() == 40) {
+                return Hex.decode(keyFingerprint);
+            } else {
+                throw new IllegalArgumentException(
+                        "Key fingerprint configuration is wrong (hex encoded, 40 characters)");
+            }
         }
         return null;
     }

maven-resolver-generator-gnupg/src/main/java/org/eclipse/aether/generator/gnupg/loaders/GpgEnvLoader.java

@@ -23,13 +23,13 @@
 
 import java.nio.charset.StandardCharsets;
 
+import org.bouncycastle.util.encoders.Hex;
 import org.eclipse.aether.RepositorySystemSession;
-import org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys;
 import org.eclipse.aether.generator.gnupg.GnupgSignatureArtifactGeneratorFactory;
 import org.eclipse.aether.util.ConfigUtils;
 import org.eclipse.sisu.Priority;
 
-import static org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys.RESOLVER_GPG_KEY_ID;
+import static org.eclipse.aether.generator.gnupg.GnupgConfigurationKeys.*;
 
 /**
  * Loader that looks for environment variables.
@@ -48,26 +48,30 @@ public boolean isInteractive() {
 
     @Override
     public byte[] loadKeyRingMaterial(RepositorySystemSession session) {
-        String keyMaterial = ConfigUtils.getString(session, null, "env." + GnupgConfigurationKeys.RESOLVER_GPG_KEY);
+        String keyMaterial = ConfigUtils.getString(session, null, "env." + RESOLVER_GPG_KEY);
         if (keyMaterial != null) {
             return keyMaterial.getBytes(StandardCharsets.UTF_8);
         }
         return null;
     }
 
     @Override
-    public Long loadKeyId(RepositorySystemSession session) {
-        String keyIdStr = ConfigUtils.getString(session, null, "env." + RESOLVER_GPG_KEY_ID);
-        if (keyIdStr != null) {
-            return Long.parseLong(keyIdStr);
+    public byte[] loadKeyFingerprint(RepositorySystemSession session) {
+        String keyFingerprint = ConfigUtils.getString(session, null, "env." + RESOLVER_GPG_KEY_FINGERPRINT);
+        if (keyFingerprint != null) {
+            if (keyFingerprint.trim().length() == 40) {
+                return Hex.decode(keyFingerprint);
+            } else {
+                throw new IllegalArgumentException(
+                        "Key fingerprint configuration is wrong (hex encoded, 40 characters)");
+            }
         }
         return null;
     }
 
     @Override
     public char[] loadPassword(RepositorySystemSession session, long keyId) {
-        String keyPassword =
-                ConfigUtils.getString(session, null, "env." + GnupgConfigurationKeys.RESOLVER_GPG_KEY_PASS);
+        String keyPassword = ConfigUtils.getString(session, null, "env." + RESOLVER_GPG_KEY_PASS);
         if (keyPassword != null) {
             return keyPassword.toCharArray();
         }

maven-resolver-generator-gnupg/src/test/java/org/eclipse/aether/generator/gnupg/GpgSignerFactoryTest.java

@@ -26,6 +26,7 @@
 import java.util.Collections;
 import java.util.LinkedHashMap;
 
+import org.bouncycastle.util.encoders.DecoderException;
 import org.eclipse.aether.ConfigurationProperties;
 import org.eclipse.aether.DefaultRepositorySystemSession;
 import org.eclipse.aether.RepositorySystemSession;
@@ -40,9 +41,7 @@
 import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 
-import static org.junit.jupiter.api.Assertions.assertEquals;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
-import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
@@ -72,12 +71,20 @@ private GnupgSignatureArtifactGeneratorFactory createFactory() throws Exception
     }
 
     private RepositorySystemSession createSession(Path keyFilePath, String keyPass, boolean interactive) {
+        return createSession(keyFilePath, keyPass, null, interactive);
+    }
+
+    private RepositorySystemSession createSession(
+            Path keyFilePath, String keyPass, String keyFingerprint, boolean interactive) {
         DefaultRepositorySystemSession session = TestUtils.newSession();
         session.setConfigProperty(GnupgConfigurationKeys.CONFIG_PROP_ENABLED, Boolean.TRUE);
         session.setConfigProperty(GnupgConfigurationKeys.CONFIG_PROP_KEY_FILE_PATH, keyFilePath.toString());
         if (keyPass != null) {
             session.setConfigProperty("env." + GnupgConfigurationKeys.RESOLVER_GPG_KEY_PASS, keyPass);
         }
+        if (keyFingerprint != null) {
+            session.setConfigProperty("env." + GnupgConfigurationKeys.RESOLVER_GPG_KEY_FINGERPRINT, keyFingerprint);
+        }
         session.setConfigProperty(ConfigurationProperties.INTERACTIVE, interactive);
         return session;
     }
@@ -171,6 +178,71 @@ void signNonInteractive() throws Exception {
         }
     }
 
+    @Test
+    void signNonInteractiveWithSelectedKey() throws Exception {
+        Path keyFile =
+                Paths.get("src/test/resources/gpg-signing/gpg-secret.key").toAbsolutePath();
+        String keyPass = "TheBigSecret";
+        GnupgSignatureArtifactGeneratorFactory factory = createFactory();
+        try (ArtifactGenerator signer = factory.newInstance(
+                createSession(keyFile, keyPass, "6D27BDA430672EC700BA7DBD0A32C01AE8785B6E", false),
+                new DeployRequest())) {
+            assertNotNull(signer);
+            Path artifactPath = Paths.get("src/test/resources/gpg-signing/artifact.txt");
+            Collection<? extends Artifact> signatures = signer.generate(Collections.singleton(
+                    new DefaultArtifact("org.apache.maven.resolver:test:1.0").setPath(artifactPath)));
+
+            // one signature expected for one relevant artifact
+            assertEquals(1, signatures.size());
+            Path signaturePath = signatures.iterator().next().getPath();
+
+            // cannot assert file size due OS differences, so just count the lines instead: those should be same
+            assertEquals(8, Files.lines(signaturePath).count());
+
+            // TODO: validate the signature
+        }
+    }
+
+    @Test
+    void signNonInteractiveWithSelectedKeyWrongFingerprint() throws Exception {
+        Path keyFile =
+                Paths.get("src/test/resources/gpg-signing/gpg-secret.key").toAbsolutePath();
+        String keyPass = "TheBigSecret";
+        GnupgSignatureArtifactGeneratorFactory factory = createFactory();
+
+        assertThrows(
+                IllegalArgumentException.class,
+                () -> factory.newInstance(
+                        createSession(keyFile, keyPass, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", false),
+                        new DeployRequest()));
+    }
+
+    @Test
+    void signNonInteractiveWithSelectedKeyMalformedFingerprint1() throws Exception {
+        Path keyFile =
+                Paths.get("src/test/resources/gpg-signing/gpg-secret.key").toAbsolutePath();
+        String keyPass = "TheBigSecret";
+        GnupgSignatureArtifactGeneratorFactory factory = createFactory();
+
+        assertThrows(
+                IllegalArgumentException.class,
+                () -> factory.newInstance(createSession(keyFile, keyPass, "abcd", false), new DeployRequest()));
+    }
+
+    @Test
+    void signNonInteractiveWithSelectedKeyMalformedFingerprint2() throws Exception {
+        Path keyFile =
+                Paths.get("src/test/resources/gpg-signing/gpg-secret.key").toAbsolutePath();
+        String keyPass = "TheBigSecret";
+        GnupgSignatureArtifactGeneratorFactory factory = createFactory();
+
+        assertThrows(
+                DecoderException.class,
+                () -> factory.newInstance(
+                        createSession(keyFile, keyPass, "ZAZUFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF", false),
+                        new DeployRequest()));
+    }
+
     /**
      * This test is disabled by default as it is interactive and would use Gpg Agent.
      * <p>

src/site/markdown/configuration.md

@@ -51,7 +51,7 @@ under the License.
 | 24. | `"aether.generator.gpg.agentSocketLocations"` | `String` | The GnuPG agent socket(s) to try. Comma separated list of socket paths. If relative, will be resolved from user home directory. |  `".gnupg/S.gpg-agent"`  | 2.0.0 |  No  | Session Configuration |
 | 25. | `"aether.generator.gpg.enabled"` | `Boolean` | Whether GnuPG signer is enabled. |  `false`  | 2.0.0 |  No  | Session Configuration |
 | 26. | `"aether.generator.gpg.keyFilePath"` | `String` | The path to the OpenPGP transferable secret key file. If relative, is resolved from local repository root. |  `"maven-signing-key.key"`  | 2.0.0 |  No  | Session Configuration |
-| 27. | `"aether.generator.gpg.keyId"` | `Long` | The PGP KeyID, optional. If not set, first secret key found will be used. |  -  | 2.0.0 |  No  | Session Configuration |
+| 27. | `"aether.generator.gpg.keyFingerprint"` | `String` | The PGP Key fingerprint as hex string (40 characters long), optional. If not set, first secret key found will be used. |  -  | 2.0.0 |  No  | Session Configuration |
 | 28. | `"aether.interactive"` | `java.lang.Boolean` | A flag indicating whether interaction with the user is allowed. |  `false`  |  |  No  | Session Configuration |
 | 29. | `"aether.layout.maven2.checksumAlgorithms"` | `java.lang.String` | Comma-separated list of checksum algorithms with which checksums are validated (downloaded) and generated (uploaded) with this layout. Resolver by default supports following algorithms: MD5, SHA-1, SHA-256 and SHA-512. New algorithms can be added by implementing ChecksumAlgorithmFactory component. |  `"SHA-1,MD5"`  | 1.8.0 |  Yes  | Session Configuration |
 | 30. | `"aether.lrm.enhanced.localPrefix"` | `java.lang.String` | The prefix to use for locally installed artifacts. |  `"installed"`  | 1.8.1 |  No  | Session Configuration |