Remove most compat apis

KeylessSignature is gone, just use Bundle now. Most APIs are
changed to treat Bundle as the primary signing material
object.

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

build-logic/publishing/build.gradle.kts

@@ -10,6 +10,6 @@ dependencies {
     implementation(project(":basics"))
     implementation(project(":jvm"))
     implementation("dev.sigstore.build-logic:gradle-plugin")
-    implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.8.0")
+    implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.9.0")
     implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.2.1")
 }

gradle.properties

@@ -3,5 +3,7 @@ org.gradle.jvmargs=-XX:MaxMetaspaceSize=768m
 systemProp.org.gradle.kotlin.dsl.precompiled.accessors.strict=true
 
 group=dev.sigstore
-# remember to update SigstoreSignExtension.kt and build-logic/publishing/build.gradle.kts when updating this
+# remember to also update 
+# - SigstoreSignExtension.kt
+# - build-logic/publishing/build.gradle.kts 
 version=0.10.0

sigstore-cli/src/main/java/dev/sigstore/cli/Sign.java

@@ -65,7 +65,7 @@ public Integer call() throws Exception {
       signerBuilder.oidcClients(OidcClients.of(new TokenStringOidcClient(identityToken)));
     }
     var signer = signerBuilder.build();
-    var bundle = signer.signFile2(artifact);
+    var bundle = signer.signFile(artifact);
     if (signatureFiles.sigAndCert != null) {
       Files.write(
           signatureFiles.sigAndCert.signatureFile,

sigstore-cli/src/main/java/dev/sigstore/cli/Verify.java

@@ -16,7 +16,6 @@
 package dev.sigstore.cli;
 
 import static com.google.common.io.Files.asByteSource;
-import static com.google.common.io.Files.newReader;
 
 import com.google.common.hash.Hashing;
 import dev.sigstore.KeylessVerifier;
@@ -114,7 +113,8 @@ public Integer call() throws Exception {
                   fetcher.getEntryFromRekor(digest, Certificates.getLeaf(certPath), signature))
               .build();
     } else {
-      bundle = Bundle.from(newReader(signatureFiles.bundleFile.toFile(), StandardCharsets.UTF_8));
+      bundle =
+          Bundle.from(Files.newBufferedReader(signatureFiles.bundleFile, StandardCharsets.UTF_8));
     }
 
     var verificationOptionsBuilder = VerificationOptions.builder();

sigstore-gradle/README.md

@@ -134,7 +134,7 @@ Provides `SigstoreSignFilesTask` task for signing files in Sigstore.
 The plugin adds no tasks by default.
 
 Properties:
-* `dev.sigstore.sign.remove.sigstore.asc` (since 0.6.0, default: `true`). Removes `.sigstore.json.asc` files from the publication.
+* `dev.sigstore.sign.remove.sigstore.json.asc` (since 0.6.0, default: `true`). Removes `.sigstore.json.asc` files from the publication.
   Sonatype OSSRH supports publishing `.sigstore.json` signatures, and it does not require `.sigstore.json.asc` files, so
   `dev.sigstore.sign` plugin removes them by default. If you need to sign all the files, set this property to `false`.
 

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt

@@ -84,7 +84,7 @@ abstract class SigstoreSignExtension(private val project: Project) {
         }
 
         val removeSigstoreAsc =
-            project.findProperty("dev.sigstore.sign.remove.sigstore.asc")?.toString()?.toBoolean() != false
+            project.findProperty("dev.sigstore.sign.remove.sigstore.json.asc")?.toString()?.toBoolean() != false
 
         val publicationName = publication.name
 

sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/work/SignWorkAction.kt

@@ -55,7 +55,7 @@ abstract class SignWorkAction : WorkAction<SignWorkParameters> {
             }.build()
         }
 
-        val result = signer.signFile2(inputFile.toPath())
+        val result = signer.signFile(inputFile.toPath())
         val bundleJson = result.toJson()
         parameters.outputSignature.get().asFile.writeText(bundleJson)
     }

sigstore-gradle/sigstore-gradle-sign-plugin/src/test/kotlin/dev/sigstore/gradle/RemoveSigstoreAscTest.kt

@@ -88,7 +88,7 @@ class RemoveSigstoreAscTest : BaseGradleTest() {
 
             # By default, dev.sigstore.sign asks Gradle to avoid signing .sigstore.json as
             # .sigstore.json.asc This is an opt-out hatch for those who need .sigstore.json.asc
-            dev.sigstore.sign.remove.sigstore.asc=false
+            dev.sigstore.sign.remove.sigstore.json.asc=false
             """.trimIndent()
         )
         prepare(case.gradle.version, "publishAllPublicationsToTmpRepository", "-s")

sigstore-java/src/main/java/dev/sigstore/KeylessSignature.java

@@ -445,23 +445,21 @@ public Map<Path, Bundle> signFiles(List<Path> artifacts) throws KeylessSignerExc
   }
 
   /**
-   * Convenience wrapper around {@link #sign(List)} to accept a single file This is a compat method
-   * and will be switched out with signFile2
+   * Convenience wrapper around {@link #sign(List)} to accept a single file
    *
-   * @param artifact the artifacts to sign.
-   * @return a keyless singing results.
+   * @param artifact the artifacts to sign
+   * @return a sigstore bundle
    */
   @CheckReturnValue
-  public KeylessSignature signFile(Path artifact) throws KeylessSignerException {
-    return signFiles(List.of(artifact)).get(artifact).toKeylessSignature();
+  public Bundle signFile(Path artifact) throws KeylessSignerException {
+    return signFiles(List.of(artifact)).get(artifact);
   }
 
   /**
-   * Convenience wrapper around {@link #sign(List)} to accept a signe file
-   *
-   * @param artifact the artifacts to sign
-   * @return a sigstore bundle
+   * Convenience wrapper around {@link #sign(List)} to accept a single file Compat - to be removed
+   * before 1.0.0
    */
+  @Deprecated
   public Bundle signFile2(Path artifact) throws KeylessSignerException {
     return signFiles(List.of(artifact)).get(artifact);
   }