Update GPG maven plugin dependency

loosebazooka · loosebazooka · commit 69978e6e009c · 2024-08-14T11:09:11.000-04:00
This ignores .sigstore.json files by default. See: https://issues.apache.org/jira/browse/MGPG-130 Signed-off-by: Appu Goundan <appu@google.com>
diff --git a/sigstore-maven-plugin/README.md b/sigstore-maven-plugin/README.md
@@ -47,8 +47,8 @@ See [GitHub documentation](https://docs.github.com/en/actions/deployment/securit
 
 Notes:
 
-<!-- TBD: (uncomment when gpg adding exclusion from .sigstore.java - GPG: Maven Central publication rules require GPG signing each files: to avoid GPG signing of `.sigstore.json` files, just use version 3.X.X minimum of [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/). -->
-- `.md5`/`.sha1`: to avoid unneeded checksum files for `.sigstore.java` files, use Maven 3.9.2 minimum or create `.mvn/maven.config` file containing `-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.java`
+- GPG: Maven Central publication rules require GPG signing. To avoid GPG signing of `.sigstore.json` signature files, use version 3.2.5 or higher of [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/).
+- `.md5`/`.sha1`: to avoid unneeded checksum files for `.sigstore.java` files, use Maven 3.9.2 or higher, or create `.mvn/maven.config` file containing `-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.java`
 
 Known limitations:
 
diff --git a/sigstore-maven-plugin/build.gradle.kts b/sigstore-maven-plugin/build.gradle.kts
@@ -16,7 +16,7 @@ dependencies {
 
     implementation(project(":sigstore-java"))
     implementation("org.bouncycastle:bcutil-jdk18on:1.78.1")
-    implementation("org.apache.maven.plugins:maven-gpg-plugin:3.2.4")
+    implementation("org.apache.maven.plugins:maven-gpg-plugin:3.2.5")
 
     testImplementation("org.apache.maven.shared:maven-verifier:1.8.0")
 
diff --git a/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java b/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java
@@ -40,22 +40,13 @@ public class SigstoreSignAttachedMojo extends AbstractMojo {
 
   private static final String BUNDLE_EXTENSION = ".sigstore.json";
 
-  // TODO: this can potentially be derived from mvn-gpg-plugin:FilesCollector.java,
-  //   but that requires a change in that plugin before it makes sense here.
-  private static final String DEFAULT_EXCLUDES[] =
-      new String[] {
-        "**/*.md5", "**/*.sha1", "**/*.sha256", "**/*.sha512", "**/*.asc", "**/*.sigstore.json"
-      };
-
   /** Skip doing the sigstore signing. */
   @Parameter(property = "sigstore.skip", defaultValue = "false")
   private boolean skip;
 
   /**
    * A list of files to exclude from being signed. Can contain Ant-style wildcards and double
-   * wildcards. The default excludes are <code>
-   * **&#47;*.md5 **&#47;*.sha1 **&#47;*.sha256 **&#47;*.sha512 **&#47;*.asc **&#47;*.sigstore.json
-   * </code>.
+   * wildcards. The defaults are defined in DEFAULT_EXCLUDES in {@link FilesCollector}.
    */
   @Parameter private String[] excludes;
 
@@ -81,8 +72,7 @@ public void execute() throws MojoExecutionException, MojoFailureException {
     // Collect files to sign
     // ----------------------------------------------------------------------------
 
-    FilesCollector collector =
-        new FilesCollector(project, (excludes == null) ? DEFAULT_EXCLUDES : excludes, getLog());
+    FilesCollector collector = new FilesCollector(project, excludes, getLog());
     List<FilesCollector.Item> items = collector.collect();
 
     // ----------------------------------------------------------------------------
