Use gpg signature

Author: adangel

.ci/README.md

@@ -1,53 +1,30 @@
 # Build Scripts for pmd-eclipse-plugin
 
-## JAR Signing
+## GPG Signing
 
-Same solution as <https://github.com/spotbugs/spotbugs/issues/779>, using the Let's Encrypt certificate
-for pmd-code.org:
+Since 7.9.0, the plugin is signed with the same GPG key, that is used to sign the main PMD artifacts
+for maven central.
 
-```
-$ export CI_SIGN_PASSPHRASE=...
-$ openssl pkcs12 -export -in Lets_Encrypt_pmd-code.org_2024-09-26.pem \
-    -name eclipse-plugin \
-    -password env:CI_SIGN_PASSPHRASE \
-    -out pmd-eclipse-plugin.p12 \
-    -legacy
-$ jarsigner -verbose \
-  -keystore .ci/files/pmd-eclipse-plugin.p12 \
-  -storepass changeit \
-  -keypass changeit \
-  -tsa http://timestamp.digicert.com \
-  path/to/plugin-jar.jar \
-  eclipse-plugin
-```
+See <https://github.com/pmd/build-tools/blob/main/scripts/files/release-signing-key-D0BF1D737C9A1C22.asc>.
 
-Note: The file "Lets_Encrypt_pmd-code.org_2024-09-26.pem" contains the private key, the certificate
-and intermediate certificates.
+Tycho's [GPG Plugin](https://tycho.eclipseprojects.io/doc/latest/tycho-gpg-plugin/sign-p2-artifacts-mojo.html)
+is used for that.
 
-Note: with openssl 3, the option `-legacy` is required in order to use the pkcs12 keystore with java8.
-See <https://stackoverflow.com/questions/69170537/is-openssl-v3-0-0-compatible-with-v1-1-1>
+There is no need anymore to use jar signer and use a real Let's Encrypt certificate.
 
-The file `pmd-eclipse-plugin.p12` is stored as `.ci/files/pmd-eclipse-plugin.p12.asc`, encrypted with PMD_CI_SECRET_PASSPHRASE.
+**How it works:**
 
-Encrypt it via:
+* During build setup, `.m2/settings.xml` contains properties for signing:
+  ```xml
+    <profile>
+      <id>sign</id>
+      <properties>
+        <gpg.keyname>${env.CI_SIGN_KEYNAME}</gpg.keyname>
+        <gpg.passphrase>${env.CI_SIGN_PASSPHRASE}</gpg.passphrase>
+      </properties>
+    </profile>
+  ```
+* These environment variables (`CI_SIGN_KEYNAME`) are set by `pmd_ci_setup_secrets_private_env`
+  which is called by `build.sh` (but not for pull requests).
 
-    printenv PMD_CI_SECRET_PASSPHRASE | gpg --symmetric --cipher-algo AES256 --batch --armor \
-      --passphrase-fd 0 \
-      pmd-eclipse-plugin.p12
-
-Decrypt it via:
-
-    printenv PMD_CI_SECRET_PASSPHRASE | gpg --batch --yes --decrypt \
-        --passphrase-fd 0 \
-        --output pmd-eclipse-plugin.p12 pmd-eclipse-plugin.p12.asc
-    chmod 600 pmd-eclipse-plugin.p12
-
-Signing the jar manually via `jarsigner` is difficult, since it changes the jar file and the p2 repo metadata
-fails with the wrong checksum. Therefore jarsigning is integrated via [maven-jarsigner-plugin](https://maven.apache.org/plugins/maven-jarsigner-plugin/). See also <https://stackoverflow.com/questions/7956267/tycho-jar-signing>.
-
-Note: The Let's Encrypt certificate is valid until 2024-12-25. But while signing a digital timestamp is created
-using [DigiCert's Timestamp Server](https://knowledge.digicert.com/generalinformation/INFO4231.html). That's
-why the signature is valid longer than the certificate.
-
-Note: Eclipse 2022-03 seems to check now the expiration date of the certificates.
-See <https://bugs.eclipse.org/bugs/show_bug.cgi?id=578024>.
+* The tycho gpg plugin is activated only when profile `sign` is activated.

.ci/build.sh

@@ -51,7 +51,6 @@ function build() {
         pmd_ci_setup_secrets_private_env
         pmd_ci_setup_secrets_ssh
         pmd_ci_maven_setup_settings
-        extract_keystore
     pmd_ci_log_group_end
 
     if pmd_ci_maven_isSnapshotBuild; then
@@ -68,17 +67,10 @@ function snapshot_build() {
     pmd_ci_log_group_start "Snapshot Build: ${PMD_CI_MAVEN_PROJECT_VERSION}"
         pmd_ci_log_info "This is a snapshot build on branch ${PMD_CI_BRANCH} (version: ${PMD_CI_MAVEN_PROJECT_VERSION})"
 
-        # Build 1 - without signing but with tests
-        ${xvfb_cmd} ./mvnw clean verify \
-            --show-version --errors --batch-mode --no-transfer-progress \
-            -Dtarget.platform=${TARGET_PLATFORM}
-
-        # Build 2 - with signing, but skipping tests, pmd, checkstyle
         ${xvfb_cmd} ./mvnw clean verify \
             --show-version --errors --batch-mode --no-transfer-progress \
             --activate-profiles sign \
-            -Dtarget.platform=${TARGET_PLATFORM} \
-            -Dpmd.skip=true -DskipTests -Dcheckstyle.skip
+            -Dtarget.platform=${TARGET_PLATFORM}
 
         # Upload update site to sourceforge
         local qualifiedVersion
@@ -125,17 +117,10 @@ function release_build() {
     pmd_ci_log_group_start "Release Build: ${PMD_CI_MAVEN_PROJECT_VERSION}"
         pmd_ci_log_info "This is a release build for tag ${PMD_CI_TAG} (version: ${PMD_CI_MAVEN_PROJECT_VERSION})"
 
-        # Build 1 - without signing but with tests
-        ${xvfb_cmd} ./mvnw clean verify \
-            --show-version --errors --batch-mode --no-transfer-progress \
-            -Dtarget.platform=${TARGET_PLATFORM}
-
-        # Build 2 - with signing, but skipping tests, pmd, checkstyle
         ${xvfb_cmd} ./mvnw clean verify \
             --show-version --errors --batch-mode --no-transfer-progress \
             --activate-profiles sign \
-            -Dtarget.platform=${TARGET_PLATFORM} \
-            -Dpmd.skip=true -DskipTests -Dcheckstyle.skip
+            -Dtarget.platform=${TARGET_PLATFORM}
 
     pmd_ci_log_group_end
 
@@ -289,13 +274,4 @@ For older versions, see <https://sourceforge.net/projects/pmd/files/pmd-eclipse/
 " > index.md
 }
 
-function extract_keystore() {
-    local -r keystore=".ci/files/pmd-eclipse-plugin.p12"
-    pmd_ci_log_info "Extracting keystore ${keystore}..."
-    printenv PMD_CI_SECRET_PASSPHRASE | gpg --batch --yes --decrypt \
-        --passphrase-fd 0 \
-        --output "${keystore}" "${keystore}.asc"
-    chmod 600 "${keystore}"
-}
-
 build

.ci/files/pmd-eclipse-plugin.p12.asc

@@ -14,6 +14,9 @@ This is a minor release.
 ### New and noteworthy
 * Support for Eclipse 2024-12 added
 * Support for Eclipse 2023-12 removed
+* The plugin now uses GPG signatures. Releases are signed with
+  [D0BF1D737C9A1C22](https://keyserver.ubuntu.com/pks/lookup?search=D0BF1D737C9A1C22&fingerprint=on&op=index).
+  The full fingerprint is `EBB2 41A5 45CB 17C8 7FAC B2EB D0BF 1D73 7C9A 1C22`.
 
 ### Fixed Issues
 

ReleaseNotes.md

@@ -36,4 +36,26 @@
             </plugin>
         </plugins>
     </build>
+
+    <profiles>
+      <profile>
+        <id>sign</id>
+        <build>
+          <plugins>
+            <plugin>
+              <groupId>org.eclipse.tycho</groupId>
+              <artifactId>tycho-gpg-plugin</artifactId>
+              <executions>
+                <execution>
+                  <id>sign</id>
+                  <goals>
+                    <goal>sign-p2-artifacts</goal>
+                  </goals>
+                </execution>
+              </executions>
+            </plugin>
+          </plugins>
+        </build>
+      </profile>
+    </profiles>
 </project>

net.sourceforge.pmd.eclipse.p2updatesite/pom.xml

@@ -332,6 +332,14 @@
           <artifactId>tycho-bnd-plugin</artifactId>
           <version>${tycho.version}</version>
         </plugin>
+        <plugin>
+          <groupId>org.eclipse.tycho</groupId>
+          <artifactId>tycho-gpg-plugin</artifactId>
+          <version>${tycho.version}</version>
+          <configuration>
+            <bestPractices>true</bestPractices>
+          </configuration>
+        </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-checkstyle-plugin</artifactId>
@@ -508,33 +516,5 @@
         </pluginManagement>
       </build>
     </profile>
-
-    <profile>
-      <id>sign</id>
-      <build>
-        <plugins>
-          <plugin>
-            <groupId>org.apache.maven.plugins</groupId>
-            <artifactId>maven-jarsigner-plugin</artifactId>
-            <version>3.0.0</version>
-            <configuration>
-              <alias>eclipse-plugin</alias>
-              <keystore>${keystore}</keystore>
-              <keypass>${env.CI_SIGN_PASSPHRASE}</keypass>
-              <storepass>${env.CI_SIGN_PASSPHRASE}</storepass>
-              <tsa>http://timestamp.digicert.com</tsa>
-            </configuration>
-            <executions>
-              <execution>
-                <id>sign</id>
-                <goals>
-                  <goal>sign</goal>
-                </goals>
-              </execution>
-            </executions>
-          </plugin>
-        </plugins>
-      </build>
-    </profile>
   </profiles>
 </project>