Merge pull request #143 from adangel:jar-signing

Support JAR Signing for the update site #143

Author: adangel

.ci/README.md

@@ -0,0 +1,46 @@
+# Build Scripts for pmd-eclipse-plugin
+
+## JAR Signing
+
+Same solution as <https://github.com/spotbugs/spotbugs/issues/779>, using the Let's Encrypt certificate
+for pmd-code.org:
+
+```
+$ export CI_SIGN_PASSPHRASE=...
+$ openssl pkcs12 -export -in Lets_Encrypt_pmd-code.org_2021-03-25.pem \
+    -name eclipse-plugin \
+    -password env:CI_SIGN_PASSPHRASE \
+    -out pmd-eclipse-plugin.p12
+$ jarsigner -verbose \
+  -keystore .ci/files/pmd-eclipse-plugin.p12 \
+  -storepass changeit \
+  -keypass changeit \
+  -tsa http://timestamp.digicert.com \
+  path/to/plugin-jar.jar \
+  eclipse-plugin
+```
+
+Note: The file "Lets_Encrypt_pmd-code.org_2021-03-25.pem" contains the private key, the certificate
+and intermediate certificates.
+
+The file `pmd-eclipse-plugin.p12` is stored as `.ci/files/pmd-eclipse-plugin.p12.asc`, encrypted with PMD_CI_SECRET_PASSPHRASE.
+
+Encrypt it via:
+
+    printenv PMD_CI_SECRET_PASSPHRASE | gpg --symmetric --cipher-algo AES256 --batch --armor \
+      --passphrase-fd 0 \
+      pmd-eclipse-plugin.p12
+
+Decrypt it via:
+
+    printenv PMD_CI_SECRET_PASSPHRASE | gpg --batch --yes --decrypt \
+        --passphrase-fd 0 \
+        --output pmd-eclipse-plugin.p12 pmd-eclipse-plugin.p12.asc
+    chmod 600 pmd-eclipse-plugin.p12
+
+Signing the jar manually via `jarsigner` is difficult, since it changes the jar file and the p2 repo metadata
+fails with the wrong checksum. Therefore jarsigning is integrated via [maven-jarsigner-plugin](https://maven.apache.org/plugins/maven-jarsigner-plugin/). See also <https://stackoverflow.com/questions/7956267/tycho-jar-signing>.
+
+Note: The Let's Encrypt certificate expires in May 2021. But while signing a digital timestamp is created
+using [DigiCert's Timestamp Server](https://knowledge.digicert.com/generalinformation/INFO4231.html). That's
+why the signature is valid longer than the certificate.

.ci/build.sh

@@ -39,6 +39,7 @@ function build() {
         pmd_ci_setup_secrets_private_env
         pmd_ci_setup_secrets_ssh
         pmd_ci_maven_setup_settings
+        extract_keystore
     pmd_ci_log_group_end
 
     if pmd_ci_maven_isSnapshotBuild; then
@@ -58,7 +59,7 @@ function snapshot_build() {
         # Build and upload the update site to Bintray
         xvfb-run --auto-servernum ./mvnw clean verify --show-version --errors --batch-mode \
             --no-transfer-progress \
-            --activate-profiles snapshot-properties,release-composite
+            --activate-profiles snapshot-properties,release-composite,sign
 
         local qualifiedVersion
         qualifiedVersion="$(basename net.sourceforge.pmd.eclipse.p2updatesite/target/net.sourceforge.pmd.eclipse.p2updatesite-*.zip)"
@@ -113,7 +114,7 @@ function release_build() {
         # Build and deploy the update site to bintray
         xvfb-run --auto-servernum ./mvnw clean verify --show-version --errors --batch-mode \
             --no-transfer-progress \
-            --activate-profiles release-composite
+            --activate-profiles release-composite,sign
     pmd_ci_log_group_end
 
     pmd_ci_log_group_start "Update Github Releases"
@@ -266,4 +267,13 @@ For older versions, see <https://sourceforge.net/projects/pmd/files/pmd-eclipse/
 " > index.md
 }
 
+function extract_keystore() {
+    local -r keystore=".ci/files/pmd-eclipse-plugin.p12"
+    pmd_ci_log_info "Extracting keystore ${keystore}..."
+    printenv PMD_CI_SECRET_PASSPHRASE | gpg --batch --yes --decrypt \
+        --passphrase-fd 0 \
+        --output "${keystore}" "${keystore}.asc"
+    chmod 600 "${keystore}"
+}
+
 build

.ci/files/pmd-eclipse-plugin.p12.asc

@@ -0,0 +1,94 @@
+-----BEGIN PGP MESSAGE-----
+
+jA0ECQMCNBTrjKBgGin/0uwBN4Ot2VLOFHXZ2TNe8gnvfe2X6hGPegr4TOBhPtwh
+q4acBLaPNTBPLthWYSrPH3AH737cKinXXSzV9XwCRA+NGEEF8SBGeIzMN0t6ZHsd
+LtRqihvU925rnWaEGWc/DwKR86iubEx7xGdhxMBeWQ/yLw3NH/wV2Iy4InN/lpjJ
+TpkIRFhbg9zIfCVbW+XPJFlO3dPGDggK28o3PQl7uoiKCG9bI1/Sm+aBzQPqYTrD
+R87cYjjl+xv42/vgHjGua4bFfHNRK0KPc1U9JPyVmIEcB/uziRtmqfbTpv2B0jNc
+/Ec82PPz80Jpf7ijNt+T9sywtr1gGSYuA4ExmXlP/jmSDVsLHymTbF8k0tsWPYVn
+srP6D3dZqc0/i5Dv/cAAXvyv5GuiwigYKv+ikO5uJs4Dlf80roZwS4CjN0c+UUpr
+n77QWhQ788mu1iqRGMXAhZNcVxPpQHTc4v+mcxvYYryy7TTzMkdxuouZ4dFBr/Fi
+5uNiXxqFoUS1LWCZQOYsY+ByKvPbVhwcCC9vdhBhjcb2cUgZezKBDd/hIw7xbQXr
+i2obiCONAy1h80fqAixG/oYYE/46j8LE5oUi+lJtjiUc8VooN3R1E03XjZnyTtkP
+f1MzDOnDxYw5wmabEANOlBlFrqVeEKg7tyUCMr8+9HbGDqPtC1E3xyBKJnBqSN93
+TSund5o/Uce3YdsQbTmz0OM+LCmlCr3gFhCA/xq6DErFGn2csbsvSjbINdP+cdlO
+dy9rOw77KDddQ4RuAGvGjsjPKl76WV8gmTpkjXdL8i35h0zOVtJBdVHrKP+M40g5
+8NHK9I7jRkkFKswmDNy26m2UJSzaWtkfmXElwMk36ahXacFt7B6dD2a1brzx/m5w
+vW0meVNhaArZ9gQrZ8q7CZhlYvk3Tj8HSLnLV72YoqdTp+0UMahcqtMAMxxIIoQf
+DUJeSMZryFsulWh6qnyEQzDbwRMdY+rI6SOKuKlQaEtEbRqkYvs3Gx0JdH2xcfJO
+hG5ukkkmdqxheys0ldY8fg04mHd1d4Vx3PTRvUDo5ZLu85Yml+c1Pq4hlvxqV6/f
+jqRsD/hU/JlFm7tN29irvnA/YuFs+dDcYRp4jThQBlVgB4jr7tuL63RoMsg510SU
+9KokrKAXocpz1orC1HscROntHJdUubUGibAsbuXtQ2f0QHPXRF2/r8l7Ny6GmsbK
+OZZ/XhMsD4WQrEY0eb6NnxN4bCBLGxSvE8HTwXftmG2zswRmfy0S+pwtjsgb1H0T
+LyyJe7tdtqaLIDmW8JaybxwKEs9vEfheK1fkf2qbgRh8ANa1vqRqdidYUi+LiQB4
+YabjFSjOraEfTANxfaaGzOWjJDepcqsfIY0QpKdR/i9zoDKvpRQ2aj/sP8DaJqbT
+DigQOGyd8gAdUfesQXw8LsNuIYffFD8BnphLAKsRAU3hw/QRGhrut3i945gIz1hv
+Vo9zIzVFvuGJ3enZKkwL7g9mfrq2o0Q4culkGw/0yfae+W+jZo9/VSArYGM0opUJ
+y6elkUZuNA7Rs9MX9MOFw8muNrktNCm1WbgsYk+mvgYzwX8Zpfs7nmyMNMAf66UO
+eHw4qNU70FJy1eivQea5fgzMY4xYMJjeQkO4Rvu7dOf/eWv7Mof0uGUTzv4VXlpz
+f+XmBAmO0fX+AEtOyaqU0HMGkLTaOxJdPVCYGAd5adLTeRvumE9Qrc32yESKk2xc
+PM8lHOm3VuT4hDv265iEGH2kpfPGEa7UoFR/3GNcSyu4TGUfsAUrmU5Gx43bPhpR
+UI2OAGMJKkEMDKn6AtM8LztfYSBhy3jimf9B/62prdAUXUAlvRatWm7SnPpw3Vf1
+Hteeb7SmuECX4Ywux41enDyXr9oU6s0jtdh0LXlfYi63unjUP/ety19B6CwPnSkc
+q5n4374IvgjuswDxOkc8kCxVG+o7U2tgSzZzzM7Pv5o8LSrFL2dRUGEgRhkkQBKO
+jaNaBxPDL12Q2Bd3mz6t8BW1giYNOE+W1gTvbhgWaseC4Uzl9iClzuMBp/U+xNV3
+S95pNFcI14JZmUeIngjv2/URfce8a4fh0od5xUgQCkGuFw2y4RZM9la2BItQ7AfH
+a/895nNnkMbOJCPtSyq5Hle1TVD2oyyTug2JRYt0tzUzOIDsnF6AWEEp74ypBoUr
+PJUUmS85eXbl7LOBG7blnnN/HX+yyjh92UBvvGlFntBtM4T/Bgi/ebheCIJSfNPv
+eqleOHBwr3u25rr6HrYbhR0EMuJXOVbqTCuLov3v8ik6oLkBh1jGUXSFM2rs1slB
+KdWteW26OzMbsGjTijl5nB6FhmfMPksO0mD0nKbqC97wJOeL8DVPrlQJDSZDJcjQ
+BOB9TG0Mg2cy/t9NlgvqhFzw5Ledr8BGu2QF8/q9Ah4ywcW0eUJ60pSb4SYYyKPF
+T9huJh9nMH/8UDjy1IbEGAjkflAsiLUF3BUX+xMEDDzuRUyKueNAWe7yhk2TGMz+
+sdjPhS3azvrjhkxLvKuDHYApLf0+qyYfm6k4hZEoev4yowC817uQx6tAcsF0joVj
+YP5mCWOxaoJWvFHyFIHpLcq92u7rw9T/qFOnjJrgzQ726Cygxjtl7cRC6rI8Yoyu
+avTrnRQJt7kN78jW8quLsFXybzT9/LB/6yu1xAAYhU9p8v1lvx+Z/j68xnx90KUq
++9BwG7eOjelRH5pu42crgSArvbVImmgA8pbPiPjNIh+U/I2bwPiBKUD6WDfZidrN
+Gt2PkEZ/20Z54bm+GLFcvcp+x+uhWArxwgvK7vc03Y+b6PdKUW3FP0KVk9LwkhHw
+eh9T5BqCzpjeph7Uw7lzaXC0zdOD+ebSZ3Q9zQNDClhODwoDtGg+w5f7pAKlsBK4
+141KopWdqZiC38YEI9YUHx6K/IvlIQwh0A40mPXbXFN2DayifrVTsQcN4vGvP2kw
+n4OheNFPnF6lMrDCFJs4j17D7lwByjyreVWTZLhCTGJVu2Dv+Tol4982Vj9N/2Ou
+RatFhVYeQsS92brFqckf05kJhPDMHGy+1hFgkFgnS2bOaGk6jLitZwd+8Q6GnZr8
+9pSNv8WmD5C2KKSwAPkX/LCxDR3nHssv4HhLtSY+fO7FC52JSDb8T4nNxtiaZnLg
+kkNrHtE6DafWZGG3BRqlNa3iKJMkcOJYby3i9OebePXULjLRTD39LUa/LQkZuA4O
+O8Q7y6jX2DwV3+q0InVrf71bxZ9xmX9wjfupmMLgWNNa4CIJk1mpc28kFCnR0F69
+gYdbdrvggFJMilzPvKXaTxf6E9/6VNUwpjHiY0XcYbhcxP4zk4WgIb2QDOeuKpYk
+Tnq4QvNzpu0lRqxk625IRTbLlcP691GgKTUuiO49gNvGnjU6tXqtUapQCcjqlBo0
+HrNE5e88snhju3zxvHzzrskUN08KcN7PdNPEjtW5rTavcBSp5A1sAjmyJZoKLflV
+AJyvgfV4kpm1Q/Gin8H9IBgQDylbWcEHVZuwQbO9SefLqWFvgL+L0KM4Ikyg251I
+Cl+9exH+yQiFa8U6pPuGULAGB7z9rEHj43WacubejHjPWsJkplOAsYoIryAIvkG8
+2FMpgw+ZKxYd2+srhXKjYLIQYamRmr+D4vmNcka3FI20Z0/f1H8hn/j0hutO03yM
+O9XgtiNaO5DdCdsQa3Rn3FE3IbEHU9XTJELlBjV4NKNtk46hvqy655ZuYQhMLxjV
+aqMqjieaUJ/L+bn4OnGu+8F7fag3ZpPCZEtH4J8zlXjBD/JTdr4RR1nRvW9Fqwid
+rD4BJZsGdtNE7KUZnmyelINl8hYphKtJLJVqJD40SP3LTXTm9humySx7zAljTJLY
+BOgaytzkeMOdF/B8IhgubCy4egO/LlqHW9LRJUl5AkEijurT/lzIZG8nTAeVdR7e
+YyUGS5C22+qPLd5Az17putBkhnfj1Z03yFd9Lyghud1Hm326LBVHvcQqY/s/erpq
+o+tHpBp71tw3EGO3QObDL53Oa7YuqyQHl1klMM6KKFMMOteuEl5Heg5wJ2PmVpoq
+kcUoQj9F7DhjmqynaquNYoed+bZ6aYjtcvVrkQFmY4kuD2FI/kVtbiF919EzYMaJ
+G1t7gPCzWU4DV1hyMk6OE8Ins7IL/Rsk2sn+mAmrxg3Kib5+vbQlQd3AuJTMTL/v
+ZrRrYJAjDvO/VRx3KT0ovPCSInZhGfJtUb70d+Lt1Q8tFcb7eWRz4vup89rPjEuR
+rXhxdqeHzDf2qvkm6CPLvdtXzktCBuu9lt4UrQw+vextng1w+e1+eGbBth/vHeBs
+LCgAM1W1P62f4ykdywecJQT5gK71I1fcPRAcuLan4nGuHq50bPuAT2kfhgt/fH7R
+rBb/d++1pYien0i1NdgNu6zS+JW9j3Bi77Y705aUoRtikj3LZBkAqArxoQurDrv4
+8GRFmb7lkT8APesXtCFT14cNvb/kQFgkBqc2P2JR5QnqHqnL58glbm+hqllokP4Z
+qmvi90dXWBCSKgHkR6//hEgeIG2R/aycmRrEQglH/Hs5Krv7ImIHCCWOyMDeY9hv
+xnFvYjDNX1oEyWxLgXg9KWsiLO12FoPSgG+q8xBwU5rA/Z37tgg0aWq/Gc15oqEF
+1O144jHpn01UK2TtA9h1ilQEo7x4bb/zG17HMu9vDNuh7TvFoTKpQQp6yKvp4l1k
+5JV2B8fQRv3792+mpdS17zhWcXSR6ly65ssI0bH9tHISsVgq40/Gi791XHcBegJ8
+Wkw+8/yvDuEKFljZr+g9M2iI1SImuFDKTP8hRYuqYhbrLiYECdrpb8jxHKwtTzQS
++BHOOQ3uu7PT0+ggJN02KWUQ29HE0eAXgOWS+C8YTUGkaMlBS9bP/XfvxUGd4E6H
+8jnFqvsRBf9Vi9xHaJPk6LWfJmB51KQmfFVyr22bJBLLvvzuegaNd2iijul49KwG
+PJG3ra4NNSiOfY3FKsA2SFqGheh+KuOYq3JdQ6o2mG7JkxctOvv18BZl7UMJ9GeV
+C0FjS13Ozp+/ItA4aVrMJpiou2PwuitD1q8cnR4cEzJxUlc1/O2VTomvc6ofczYi
+V6Ik8bzDnbBP9MAQSZ6l6rJevadGLreSfP8YHHUUF0zw53wcsRv0SQWXOBAxotx9
+lz6BQRLJHNK+DgFt2AXrjUoEDZLNxSNsJaO4V8Ly8oiQlZKDGuYouoPLjOj6cpvf
+OHGFJnsSEqdYdyOkU00JLeEcp3UIKfhpeQR0N+RPSD83/hmrcNUnd3MKLLE8sDSv
+1r+Zvc7aZyypK87mNv8P4HMOUwJq54SDNS1yNYZ2jEeOiHFQOea1iZGyaJH1zWX8
+KdwBb0d5NVbzksfwJCeGTvwygr59dYFhnZhBvJTVUairPPwl/+O1InHkNQyF1EQv
+oqGkF/Ani6bobj2WLuvN4RO1ecKjeMF5nEoO6TbG0kpeDeuukUAwEe2TkWjnxXio
+acnAPNGQz/IVadq6YiCg+l1DG+4JgJJyoCQsvdzM4RiKqJWmAtUPWzb3ViCSnCo4
+/hITQksfyDyYTMQpkFsp+JaNigjBcNIDnlTIdpJFNsFGmd6uNUWbRhEYUTcnIojX
+TryXkl3vYVXwSHQIe0XbZwEqb+otUkVd+dtiGV2r0sRdoRgL7UGaMuuLY9F769xB
+6DNOLmf8NUxzoMZI2APN+o2RXULPHt95a2qwhLNsGewT2SieWEGogKxO+S8/wNgk
+HVzb/cYs2xpJ6A==
+=6F99
+-----END PGP MESSAGE-----

ReleaseNotes.md

@@ -15,6 +15,8 @@ This is a minor release.
 
 ### Fixed Issues
 
+*   [#143](https://github.com/pmd/pmd-eclipse-plugin/pull/143): Support JAR Signing for the update site
+
 ### API Changes
 
 *   The following methods in `net.sourceforge.pmd.eclipse.ui.actions.RuleSetUtil` are deprecated:

net.sourceforge.pmd.eclipse.p2updatesite/pom.xml

@@ -34,6 +34,8 @@
         <!-- note that the following must be consistent with the path schema
             used to publish child composite repositories and actual released p2 repositories -->
         <child.repository.path.prefix>../../releases/</child.repository.path.prefix>
+
+        <keystore>${basedir}/../${keystorePath}</keystore>
     </properties>
 
     <build>

net.sourceforge.pmd.eclipse.plugin.test.fragment/pom.xml

@@ -13,4 +13,8 @@
   <artifactId>net.sourceforge.pmd.eclipse.plugin.test.fragment</artifactId>
   <packaging>eclipse-plugin</packaging>
 
+  <properties>
+    <keystore>${basedir}/../${keystorePath}</keystore>
+  </properties>
+
 </project>

net.sourceforge.pmd.eclipse.plugin.test/pom.xml

@@ -13,6 +13,10 @@
   <artifactId>net.sourceforge.pmd.eclipse.plugin.test</artifactId>
   <packaging>eclipse-test-plugin</packaging>
 
+  <properties>
+    <keystore>${basedir}/../${keystorePath}</keystore>
+  </properties>
+
   <build>
     <plugins>
       <plugin>

net.sourceforge.pmd.eclipse.plugin/pom.xml

@@ -13,6 +13,9 @@
   <artifactId>net.sourceforge.pmd.eclipse.plugin</artifactId>
   <packaging>eclipse-plugin</packaging>
 
+  <properties>
+    <keystore>${basedir}/../${keystorePath}</keystore>
+  </properties>
 
   <dependencies>
     <dependency>

net.sourceforge.pmd.eclipse/pom.xml

@@ -13,4 +13,8 @@
   <artifactId>net.sourceforge.pmd.eclipse</artifactId>
   <packaging>eclipse-feature</packaging>
 
+  <properties>
+    <keystore>${basedir}/../${keystorePath}</keystore>
+  </properties>
+
 </project>

pom.xml

@@ -28,6 +28,9 @@
     <checkstyle.plugin.version>3.1.1</checkstyle.plugin.version>
 
     <updatesite.orbit>https://archive.eclipse.org/tools/orbit/downloads/drops/${orbit.version}/repository/</updatesite.orbit>
+
+    <keystorePath>.ci/files/pmd-eclipse-plugin.p12</keystorePath>
+    <keystore>${basedir}/${keystorePath}</keystore>
   </properties>
 
   <repositories>
@@ -267,4 +270,34 @@
     </pluginManagement>
   </build>
 
+  <profiles>
+    <profile>
+      <id>sign</id>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-jarsigner-plugin</artifactId>
+            <version>3.0.0</version>
+            <configuration>
+              <alias>eclipse-plugin</alias>
+              <keystore>${keystore}</keystore>
+              <keypass>${env.CI_SIGN_PASSPHRASE}</keypass>
+              <storepass>${env.CI_SIGN_PASSPHRASE}</storepass>
+              <tsa>http://timestamp.digicert.com</tsa>
+              <verbose>true</verbose>
+            </configuration>
+            <executions>
+              <execution>
+                <id>sign</id>
+                <goals>
+                  <goal>sign</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
+  </profiles>
 </project>