Generate sigstore bundle

Signed-off-by: Vladimir Sitnikov <[email protected]>

Author: vlsi

.editorconfig

@@ -18,3 +18,7 @@ end_of_line = crlf
 
 [*.java]
 indent_size = 2
+ij_continuation_indent_size = 4
+# Doc: https://youtrack.jetbrains.com/issue/IDEA-170643#focus=streamItem-27-3708697.0-0
+# $ means "static"
+ij_java_imports_layout = $*,|,*

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt

@@ -39,7 +39,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
     abstract val sigstoreJavaVersion : Property<String>
 
     init {
-        sigstoreJavaVersion.convention("0.2.0")
+        sigstoreJavaVersion.convention("0.3.0")
         (this as ExtensionAware).extensions.create<OidcClientExtension>(
             "oidcClient",
             project.objects,

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/bundle/SigstoreBundle.kt

@@ -16,26 +16,22 @@
  */
 package dev.sigstore.sign.work
 
-import com.fasterxml.jackson.databind.ObjectMapper
 import dev.sigstore.KeylessSigner
+import dev.sigstore.bundle.BundleFactory
 import dev.sigstore.oidc.client.OidcClient
 import dev.sigstore.sign.OidcClientConfiguration
-import dev.sigstore.sign.bundle.*
 import org.gradle.api.file.RegularFileProperty
 import org.gradle.api.provider.Property
 import org.gradle.workers.WorkAction
 import org.gradle.workers.WorkParameters
 import org.slf4j.LoggerFactory
-import java.util.*
 
 abstract class SignWorkParameters : WorkParameters {
     abstract val inputFile: RegularFileProperty
     abstract val outputSignature: RegularFileProperty
     abstract val oidcClient: Property<OidcClientConfiguration>
 }
 
-private val jsonMapper = ObjectMapper().writerWithDefaultPrettyPrinter()
-
 abstract class SignWorkAction : WorkAction<SignWorkParameters> {
     companion object {
         val logger = LoggerFactory.getLogger(SignWorkAction::class.java)
@@ -53,32 +49,7 @@ abstract class SignWorkAction : WorkAction<SignWorkParameters> {
         }.build()
 
         val result = signer.signFile(inputFile.toPath())
-        val signature = SigstoreBundle(
-            mediaType = BundleMediaTypes.V1_JSON.value,
-            timestampProof = RekorEntry(
-                logIndex = result.entry.logIndex,
-                logId = result.entry.logID,
-                integratedTime = result.entry.integratedTime,
-                signedEntryTimestamp = Base64.getDecoder().decode(result.entry.verification.signedEntryTimestamp),
-            ),
-            attestation = AttestationBlob(
-                payloadHash = HashValue(
-                    // See https://github.com/sigstore/sigstore-java/issues/85
-                    algorithm = HashAlgorithm.sha256,
-                    // https://github.com/sigstore/sigstore-java/issues/86
-                    hash = result.digest.chunked(2)
-                        .map { it.toInt(16).toByte() }
-                        .toByteArray(),
-                ),
-                signature = result.signature,
-            ),
-            verificationMaterial = X509CertVerificationMaterial(
-                chain = result.certPath.encoded,
-            )
-        )
-        jsonMapper.writeValue(
-            parameters.outputSignature.get().asFile,
-            signature
-        )
+        val bundleJson = BundleFactory.createBundle(result)
+        parameters.outputSignature.get().asFile.writeText(bundleJson)
     }
 }

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/work/SignWorkAction.kt

@@ -20,7 +20,7 @@ dependencies {
 
     implementation("io.github.erdtman:java-json-canonicalization:1.1")
 
-    implementation("dev.sigstore:protobuf-specs:0.0.1") {
+    implementation("dev.sigstore:protobuf-specs:0.1.0") {
         because("It generates Sigstore Bundle file")
     }
     implementation("com.google.protobuf:protobuf-java-util:3.21.12") {

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/test/kotlin/dev/sigstore/gradle/SigstoreBundleTest.kt

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2022 The Sigstore Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package dev.sigstore.bundle;
+
+import com.google.protobuf.InvalidProtocolBufferException;
+import com.google.protobuf.util.JsonFormat;
+import dev.sigstore.KeylessSigningResult;
+import dev.sigstore.proto.bundle.v1.Bundle;
+
+/**
+ * Generates Sigstore Bundle.
+ *
+ * @see <a href="https://github.com/sigstore/protobuf-specs">Sigstore Bundle Protobuf
+ *     specifications</a>
+ */
+public class BundleFactory {
+  private static final JsonFormat.Printer JSON_PRINTER = JsonFormat.printer();
+
+  /**
+   * Generates Sigstore Bundle JSON from {@link KeylessSigningResult}.
+   *
+   * @param signingResult Keyless signing result.
+   * @return Sigstore Bundle in JSON format
+   */
+  public static String createBundle(KeylessSigningResult signingResult) {
+    Bundle bundle = BundleFactoryInternal.createBundleBuilder(signingResult).build();
+    try {
+      return JSON_PRINTER.print(bundle);
+    } catch (InvalidProtocolBufferException e) {
+      throw new IllegalArgumentException(
+          "Can't serialize signing result to Sigstore Bundle JSON", e);
+    }
+  }
+}