Build updates to conformance module

- pin tags on actions
- remove guava dep
- add build-logic.java (with error prone and spotless)

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

.github/workflows/conformance.yml

@@ -20,10 +20,10 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@d171c3b028d844f2bf14e9fdec0c58114451e4bf
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # tag=v3.2.0
 
       - name: Set up JDK ${{ matrix.java-version }}
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@1df8dbefe2a8cbc99770194893dd902763bee34b # tag=v3.9.0
         with:
           java-version: ${{ matrix.java-version }}
           distribution: 'temurin'
@@ -36,6 +36,6 @@ jobs:
       - name: Unpack sigstore-java distribution
         run: tar -xvf ${{ github.workspace }}/sigstore-conformance/build/distributions/sigstore-conformance-*.tar --strip-components 1
 
-      - uses: trailofbits/sigstore-conformance@0748d63c53810e36cc3f4bbe4114301080f0d844
+      - uses: trailofbits/sigstore-conformance@0748d63c53810e36cc3f4bbe4114301080f0d844 # tag=v0.0.3
         with:
           entrypoint: ${{ github.workspace }}/bin/sigstore-conformance

sigstore-conformance/build.gradle.kts

@@ -1,7 +1,6 @@
 plugins {
-    id("java")
+    id("build-logic.java")
     id("application")
-    id("com.diffplug.spotless") version "6.11.0"
 }
 
 repositories {
@@ -10,25 +9,6 @@ repositories {
 
 dependencies {
     implementation(project(":sigstore-java"))
-    implementation("com.google.guava:guava:31.1-jre")
-}
-
-spotless {
-    kotlinGradle {
-        target("*.gradle.kts") // default target for kotlinGradle
-        ktlint()
-    }
-    format("misc") {
-        target("*.md", ".gitignore", "**/*.yaml")
-
-        trimTrailingWhitespace()
-        indentWithSpaces()
-        endWithNewline()
-    }
-    java {
-        googleJavaFormat("1.6")
-        licenseHeaderFile("$rootDir/config/licenseHeader")
-    }
 }
 
 application {

sigstore-conformance/src/main/java/dev/sigstore/conformance/Main.java

@@ -15,16 +15,19 @@
  */
 package dev.sigstore.conformance;
 
-import static com.google.common.io.Files.asByteSource;
 import static dev.sigstore.encryption.certificates.Certificates.toPemString;
 
-import com.google.common.hash.Hashing;
 import dev.sigstore.KeylessSigner;
 import dev.sigstore.KeylessVerifier;
 import dev.sigstore.oidc.client.GithubActionsOidcClient;
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.nio.file.Paths;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
 
 public class Main {
   private static final String SIGN_COMMAND = "sign";
@@ -101,16 +104,20 @@ private static void executeSign(SignArguments args) throws Exception {
             .build();
     final var result = signer.signFile(args.artifact);
     Files.write(args.signature, result.getSignature());
-    final var pemBytes = toPemString(result.getCertPath()).getBytes();
+    final var pemBytes = toPemString(result.getCertPath()).getBytes(StandardCharsets.UTF_8);
     Files.write(args.certificate, pemBytes);
   }
 
   private static class VerifyArguments {
     public Path signature;
     public Path certificate;
+    public Path artifact;
+
+    @SuppressWarnings("unused") // remove when verifier actually verifies these
     public String certificateIdentity;
+
+    @SuppressWarnings("unused") // remove when verifier actually verifies these
     public String certificateOidcIssuer;
-    public Path artifact;
   }
 
   private static VerifyArguments parseVerifyArguments(Arguments args) {
@@ -129,9 +136,20 @@ private static VerifyArguments parseVerifyArguments(Arguments args) {
 
   private static void executeVerify(VerifyArguments args) throws Exception {
     final var verifier = KeylessVerifier.builder().sigstorePublicDefaults().build();
-    final var artifactByteSource = asByteSource(args.artifact.toFile());
-    final byte[] artifactDigest = artifactByteSource.hash(Hashing.sha256()).asBytes();
+    final byte[] artifactDigest = sha256(args.artifact);
     verifier.verifyOnline(
         artifactDigest, Files.readAllBytes(args.certificate), Files.readAllBytes(args.signature));
   }
+
+  private static byte[] sha256(Path path) throws IOException, NoSuchAlgorithmException {
+    MessageDigest digest = MessageDigest.getInstance("SHA-256");
+    try (InputStream in = Files.newInputStream(path)) {
+      byte[] buffer = new byte[1024];
+      int count;
+      while ((count = in.read(buffer)) > 0) {
+        digest.update(buffer, 0, count);
+      }
+    }
+    return digest.digest();
+  }
 }