Integrate sigstore/sigstore-maven-plugin into repo

- Move sigstore-maven-plugin in sigstore/sigstore-java
- Make it a gradle module (and build with gradle :o! sorry)

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

build-logic/publishing/src/main/kotlin/build-logic.depends-on-local-sigstore-java-repo.gradle.kts

@@ -0,0 +1,44 @@
+import org.gradle.api.attributes.Bundling
+import org.gradle.api.attributes.Category
+import org.gradle.kotlin.dsl.*
+import java.io.File
+
+plugins {
+    java
+}
+
+val sigstoreJavaRuntime by configurations.creating {
+    description = "declares dependencies that will be useful for testing purposes"
+    isCanBeConsumed = false
+    isCanBeResolved = false
+}
+
+val sigstoreJavaTestClasspath by configurations.creating {
+    description = "sigstore-java in local repository for testing purposes"
+    isCanBeConsumed = false
+    isCanBeResolved = true
+    extendsFrom(sigstoreJavaRuntime)
+    attributes {
+        attribute(Category.CATEGORY_ATTRIBUTE, objects.named("maven-repository"))
+        attribute(Bundling.BUNDLING_ATTRIBUTE, objects.named(Bundling.EXTERNAL))
+    }
+}
+
+tasks.test {
+    dependsOn(sigstoreJavaTestClasspath)
+    systemProperty("sigstore.test.current.version", version)
+    val projectDir = layout.projectDirectory.asFile
+    // This adds paths to the local repositories that contain currently-built sigstore-java
+    // It enables testing both "sigstore-java from Central" and "sigstore-java build locally" in the plugin tests
+    jvmArgumentProviders.add(
+        // Gradle does not support Provider for systemProperties yet, see https://github.com/gradle/gradle/issues/12247
+        CommandLineArgumentProvider {
+            listOf(
+                "-Dsigstore.test.local.maven.repo=" +
+                        sigstoreJavaTestClasspath.joinToString(File.pathSeparator) {
+                            it.toRelativeString(projectDir)
+                        },
+            )
+        }
+    )
+}

build-logic/publishing/src/main/kotlin/build-logic.depends-on-local-sigstore-maven-plugin-repo.gradle.kts

@@ -0,0 +1,43 @@
+import org.gradle.api.attributes.Bundling
+import org.gradle.api.attributes.Category
+import org.gradle.kotlin.dsl.*
+import java.io.File
+
+plugins {
+    java
+}
+
+val sigstoreMavenPluginRuntime by configurations.creating {
+    description = "declares dependencies that will be useful for testing purposes"
+    isCanBeConsumed = false
+    isCanBeResolved = false
+}
+
+val sigstoreMavenPluginTestClasspath by configurations.creating {
+    description = "sigstore-maven-plugin in local repository for testing purposes"
+    isCanBeConsumed = false
+    isCanBeResolved = true
+    extendsFrom(sigstoreMavenPluginRuntime)
+    attributes {
+        attribute(Category.CATEGORY_ATTRIBUTE, objects.named("maven-repository"))
+        attribute(Bundling.BUNDLING_ATTRIBUTE, objects.named(Bundling.EXTERNAL))
+    }
+}
+
+tasks.test {
+    dependsOn(sigstoreMavenPluginTestClasspath)
+    systemProperty("sigstore.test.current.maven.plugin.version", version)
+    val projectDir = layout.projectDirectory.asFile
+    // This adds paths to the local repositories that contain currently-built sigstore-maven-plugin
+    jvmArgumentProviders.add(
+        // Gradle does not support Provider for systemProperties yet, see https://github.com/gradle/gradle/issues/12247
+        CommandLineArgumentProvider {
+            listOf(
+                "-Dsigstore.test.local.maven.plugin.repo=" +
+                        sigstoreMavenPluginTestClasspath.joinToString(File.pathSeparator) {
+                            it.toRelativeString(projectDir)
+                        },
+            )
+        }
+    )
+}

build-logic/publishing/src/main/kotlin/build-logic.kotlin-dsl-published-gradle-plugin.gradle.kts

@@ -6,40 +6,5 @@ plugins {
     id("build-logic.reproducible-builds")
     id("build-logic.dokka-javadoc")
     id("build-logic.publish-to-central")
-}
-
-val sigstoreJavaRuntime by configurations.creating {
-    description = "declares dependencies that will be useful for testing purposes"
-    isCanBeConsumed = false
-    isCanBeResolved = false
-}
-
-val sigstoreJavaTestClasspath by configurations.creating {
-    description = "sigstore-java in local repository for testing purposes"
-    isCanBeConsumed = false
-    isCanBeResolved = true
-    extendsFrom(sigstoreJavaRuntime)
-    attributes {
-        attribute(Category.CATEGORY_ATTRIBUTE, objects.named("maven-repository"))
-        attribute(Bundling.BUNDLING_ATTRIBUTE, objects.named(Bundling.EXTERNAL))
-    }
-}
-
-tasks.test {
-    dependsOn(sigstoreJavaTestClasspath)
-    systemProperty("sigstore.test.current.version", version)
-    val projectDir = layout.projectDirectory.asFile
-    // This adds paths to the local repositories that contain currently-built sigstore-java
-    // It enables testing both "sigstore-java from Central" and "sigstore-java build locally" in the plugin tests
-    jvmArgumentProviders.add(
-        // Gradle does not support Provider for systemProperties yet, see https://github.com/gradle/gradle/issues/12247
-        CommandLineArgumentProvider {
-            listOf(
-                "-Dsigstore.test.local.maven.repo=" +
-                        sigstoreJavaTestClasspath.joinToString(File.pathSeparator) {
-                            it.toRelativeString(projectDir)
-                        }
-            )
-        }
-    )
+    id("build-logic.depends-on-local-sigstore-java-repo")
 }

build-logic/publishing/src/main/kotlin/build-logic.publish-to-tmp-maven-repo.gradle.kts

@@ -1,3 +1,5 @@
+import org.gradle.kotlin.dsl.registering
+
 plugins {
     id("java-library")
     id("maven-publish")

settings.gradle.kts

@@ -8,5 +8,6 @@ include("sigstore-gradle:sigstore-gradle-sign-base-plugin")
 include("sigstore-gradle:sigstore-gradle-sign-plugin")
 include("sigstore-testkit")
 include("sigstore-cli")
+include("sigstore-maven-plugin")
 
 include("fuzzing")

sigstore-java/src/main/java/dev/sigstore/KeylessSigner.java

@@ -64,7 +64,7 @@
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.locks.ReentrantReadWriteLock;
-import org.checkerframework.checker.nullness.qual.Nullable;
+import javax.annotation.Nullable;
 
 /**
  * A full sigstore keyless signing flow.
@@ -93,14 +93,16 @@ public class KeylessSigner implements AutoCloseable {
 
   /** The code signing certificate from Fulcio. */
   @GuardedBy("lock")
-  private @Nullable CertPath signingCert;
+  @Nullable
+  private CertPath signingCert;
 
   /**
    * Representation {@link #signingCert} in PEM bytes format. This is used to avoid serializing the
    * certificate for each use.
    */
   @GuardedBy("lock")
-  private byte @Nullable [] signingCertPemBytes;
+  @Nullable
+  private byte[] signingCertPemBytes;
 
   private final ReentrantReadWriteLock lock = new ReentrantReadWriteLock();
 

sigstore-java/src/main/java/dev/sigstore/encryption/certificates/Certificates.java

@@ -22,6 +22,7 @@
 import java.io.StringWriter;
 import java.nio.charset.StandardCharsets;
 import java.security.cert.*;
+import java.time.temporal.ChronoUnit;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.List;
@@ -208,4 +209,9 @@ public static boolean isSelfSigned(CertPath certPath) {
   public static X509Certificate getLeaf(CertPath certPath) {
     return (X509Certificate) certPath.getCertificates().get(0);
   }
+
+  public static long validity(X509Certificate certificate, ChronoUnit unit) {
+    return unit.between(
+        certificate.getNotAfter().toInstant(), certificate.getNotBefore().toInstant());
+  }
 }

sigstore-maven-plugin/.gitignore

@@ -0,0 +1,24 @@
+.vscode
+.factorypath
+.project
+.classpath
+.settings/
+*.iml
+*.ipr
+.idea
+*.class
+*.jar
+target/
+pom.xml.tag
+pom.xml.releaseBackup
+pom.xml.versionsBackup
+pom.xml.next
+pom.xml.bak
+release.properties
+dependency-reduced-pom.xml
+buildNumber.properties
+.mvn/timing.properties
+.mvn/wrapper/maven-wrapper.jar
+.apt_generated/
+.apt_generated_tests/
+bin/

sigstore-maven-plugin/README.md

@@ -0,0 +1,36 @@
+sigstore-maven-plugin
+=====================
+
+[![Maven Central](https://img.shields.io/maven-central/v/dev.sigstore/sigstore-maven-plugin.svg?label=Maven%20Central)](https://central.sonatype.com/artifact/dev.sigstore/sigstore-maven-plugin)
+
+This is a Maven plugin that can be used to use the "keyless" signing paradigm supported by Sigstore.
+This plugin is still in early phases, then has known limitations described below.
+
+sign
+----
+
+```xml
+      <plugin>
+        <groupId>dev.sigstore</groupId>
+        <artifactId>sigstore-maven-plugin</artifactId>
+        <version>0.4.0</version>
+        <executions>
+          <execution>
+            <id>sign</id>
+            <goals>
+              <goal>sign</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+```
+
+Notes:
+
+- GPG: Maven Central publication rules require GPG signing each files: to avoid GPG signing of `.sigstore.json` files, just use version 3.1.0 minimum of [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/).
+- `.md5`/`.sha1`: to avoid unneeded checksum files for `.sigstore.java` files, use Maven 3.9.2 minimum or create `.mvn/maven.config` file containing `-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.java`
+
+Known limitations:
+
+- Maven multi-module build: each module will require an OIDC authentication,
+- 10 minutes signing session: if a build takes more than 10 minutes, a new OIDC authentication will be required each 10 minutes.

sigstore-maven-plugin/build.gradle.kts

@@ -0,0 +1,29 @@
+plugins {
+    id("build-logic.java-published-library")
+    id("build-logic.test-junit5")
+    id("build-logic.depends-on-local-sigstore-java-repo")
+    id("build-logic.depends-on-local-sigstore-maven-plugin-repo")
+    id("de.benediktritter.maven-plugin-development") version "0.4.3"
+}
+
+dependencies {
+    compileOnly("org.apache.maven:maven-plugin-api:3.9.8")
+    compileOnly("org.apache.maven:maven-core:3.9.8")
+    compileOnly("org.apache.maven:maven-core:3.9.8")
+    compileOnly("org.apache.maven.plugin-tools:maven-plugin-annotations:3.13.1")
+
+    implementation(project(":sigstore-java"))
+    implementation("org.bouncycastle:bcutil-jdk18on:1.78.1")
+    implementation("org.apache.maven.plugins:maven-gpg-plugin:3.1.0")
+
+    testImplementation("org.apache.maven.shared:maven-verifier:1.8.0")
+
+    testImplementation(project(":sigstore-testkit"))
+
+    sigstoreJavaRuntime(project(":sigstore-java")) {
+        because("Test code needs access locally-built sigstore-java as a Maven repository")
+    }
+    sigstoreMavenPluginRuntime(project(":sigstore-maven-plugin")) {
+        because("Test code needs access locally-built sigstore-java as a Maven repository")
+    }
+}