Merge pull request #624 from sigstore/update-after-070

Update after 0.7.0 release

Author: loosebazooka

.github/workflows/ci.yaml

@@ -57,6 +57,11 @@ jobs:
       with:
         arguments: build
 
+    - name: Ensure sigstore-java self signing still works
+      uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 # v2.11.1
+      with:
+        arguments: sigstore-java:publishToMavenLocal -Prelease -PskipPgpSigning
+
     - name: Test sigstore-java/sandbox
       uses: gradle/gradle-build-action@982da8e78c05368c70dac0351bb82647a9e9a5d2 # v2.11.1 
       with:

README.md

@@ -26,6 +26,9 @@ var result = signer.sign(testArtifact);
 
 // resulting signature information
 
+// sigstore bundle format (serialized as <artifact>.sigstore.json)
+String bundle = BundleFactory.createBundle(result)
+
 // artifact digest
 byte[] digest = result.getDigest();
 
@@ -36,12 +39,16 @@ byte[] certsBytes = Certificates.toPemBytes(result.getCertPath()) // converted t
 // artifact signature
 byte[] sig = result.getSignature()
 
-// sigstore bundle format (json string)
-String bundle = BundleFactory.createBundle(result)
 ```
 
 #### Verification
 
+##### KeylessSignature from bundle
+```java
+var bundleFile = // java.nio.Path to a .sigstore.json signature bundle file
+var keylessSignature = BundleFactory.readBundle(Files.newBufferedReader(bundleFile, StandardCharsets.UTF_8));
+```
+
 ##### KeylessSignature from certificate and signature
 ```java
 byte[] digest = // byte array sha256 artifact digest
@@ -55,19 +62,12 @@ var keylessSignature =
         .build();
 ```
 
-##### KeylessSignature from bundle
-```java
-var bundleFile = // java.nio.path to some bundle file
-var keylessSignature = BundleFactory.readBundle(Files.newBufferedReader(bundleFile, StandardCharsets.UTF_8));
-```
 
 ##### Configure verification options
 ```java
 var verificationOptions = 
     VerificationOptions.builder()
-        // verify online? (connect to rekor for inclusion proof)
-        .isOnline(true)
-        // optionally add certificate policy
+        // add certificate policy to verify the identity of the signer
         .addCertificateIdentities(
             CertificateIdentity.builder()
                 .issuer("https://accounts.example.com"))
@@ -78,7 +78,7 @@ var verificationOptions =
 
 ##### Do verification
 ```java
-var artifact = // path to artifact file
+var artifact = // java.nio.Path to artifact file
 try {
   var verifier = new KeylessVerifier.Builder().sigstorePublicDefaults().build();
   verifier.verify(

build-logic/publishing/build.gradle.kts

@@ -10,6 +10,6 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
-    implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.5.0")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.7.0")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.2.1")
 }

gradle.properties

@@ -3,5 +3,5 @@ org.gradle.jvmargs=-XX:MaxMetaspaceSize=768m
 systemProp.org.gradle.kotlin.dsl.precompiled.accessors.strict=true
 
 group=dev.sigstore
-# remember to update SigstoreSignExtension.kt when updating this
-version=0.7.0
+# remember to update SigstoreSignExtension.kt and build-logic/publishing/build.gradle.kts when updating this
+version=0.8.0

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt

@@ -41,7 +41,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
     abstract val sigstoreJavaVersion : Property<String>
 
     init {
-        sigstoreJavaVersion.convention("0.7.0")
+        sigstoreJavaVersion.convention("0.8.0")
         (this as ExtensionAware).extensions.create<OidcClientExtension>(
             "oidcClient",
             project.objects,