Skip to content

Commit

Permalink
[MGPG-106] Introduce new signer: BC (#72)
Browse files Browse the repository at this point in the history
This introduces new pure Java signer BC backed one. Currently two signers supported: "gpg" (uses external executable, as before), and "bc" (uses pure Java Bouncy Castle backed signer).

All the ITs (invoker and surefire) are _reused_ and now run twice, once with "gpg" and once with "bc". One IT needed adjustment, as BC does not emit error about "pinentry".

---

https://issues.apache.org/jira/browse/MGPG-106
  • Loading branch information
cstamas authored Mar 4, 2024
1 parent ea35e2c commit 6f50819
Show file tree
Hide file tree
Showing 16 changed files with 825 additions and 87 deletions.
5 changes: 5 additions & 0 deletions pgp-keys-map.list
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,13 @@
# specific language governing permissions and limitations
# under the License.

com.kohlschutter.junixsocket:junixsocket-common = 0xB5C082F1158B8C92AE3E5E1C29B8FEA02804261C
com.kohlschutter.junixsocket:junixsocket-core = 0xB5C082F1158B8C92AE3E5E1C29B8FEA02804261C
com.kohlschutter.junixsocket:junixsocket-native-common = 0xB5C082F1158B8C92AE3E5E1C29B8FEA02804261C
commons-io:commons-io = 0x2DB4F1EF0FA761ECC4EA935C86FDC7E2A11262CB
org.apiguardian:apiguardian-api = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
org.bouncycastle:bcpg-jdk18on = 0x7B121B76A7ED6CE6E60AD51784E913A8E3A748C0
org.bouncycastle:bcprov-jdk18on = 0x7B121B76A7ED6CE6E60AD51784E913A8E3A748C0
org.junit.jupiter:junit-jupiter-api = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
org.junit.jupiter:junit-jupiter-params = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
org.junit.platform:junit-platform-commons = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
Expand Down
105 changes: 81 additions & 24 deletions pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -60,9 +60,10 @@ under the License.
</distributionManagement>

<properties>
<javaVersion>8</javaVersion>
<mavenVersion>3.9.6</mavenVersion>
<resolverVersion>1.9.18</resolverVersion>
<javaVersion>8</javaVersion>
<bouncycastleVersion>1.77</bouncycastleVersion>
<project.build.outputTimestamp>2023-05-03T01:33:44Z</project.build.outputTimestamp>
<resource.delimiter>@</resource.delimiter>
</properties>
Expand Down Expand Up @@ -120,6 +121,22 @@ under the License.
<artifactId>plexus-utils</artifactId>
<version>3.5.1</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcpg-jdk18on</artifactId>
<version>${bouncycastleVersion}</version>
</dependency>
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk18on</artifactId>
<version>${bouncycastleVersion}</version>
</dependency>
<dependency>
<groupId>com.kohlschutter.junixsocket</groupId>
<artifactId>junixsocket-core</artifactId>
<version>2.9.0</version>
<type>pom</type>
</dependency>

<dependency>
<groupId>org.junit.jupiter</groupId>
Expand Down Expand Up @@ -179,8 +196,8 @@ under the License.
<artifactId>apache-rat-plugin</artifactId>
<configuration>
<excludes combine.children="append">
<!-- rat check errors seen on ASF Jenkins instance, but not on local machine... -->
<exclude>src/test/resources/gnupg/**</exclude>
<!-- rat is too cheeky, ignore these resources -->
<exclude>src/test/resources/**</exclude>
</excludes>
</configuration>
</plugin>
Expand Down Expand Up @@ -220,6 +237,67 @@ under the License.
<build>
<plugins>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-invoker-plugin</artifactId>
<configuration>
<settingsFile>src/it/settings.xml</settingsFile>
<pomIncludes>
<pomInclude>*</pomInclude>
</pomIncludes>
<pomExcludes>
<!-- not supported with gpg 2.1+ -->
<pomExclude>alternative-secret-keyring</pomExclude>
</pomExcludes>
<goals>
<goal>clean</goal>
<goal>install</goal>
</goals>
<properties>
<gpg.homedir>${project.build.testOutputDirectory}/gnupg</gpg.homedir>
</properties>
</configuration>
<executions>
<execution>
<id>integration-test</id>
<phase>none</phase>
</execution>
<execution>
<id>integration-test-install</id>
<goals>
<goal>install</goal>
</goals>
<phase>integration-test</phase>
</execution>
<execution>
<id>gpg-integration-tests</id>
<goals>
<goal>run</goal>
</goals>
<phase>integration-test</phase>
<configuration>
<properties>
<gpg.signer>gpg</gpg.signer>
</properties>
</configuration>
</execution>
<execution>
<id>bc-integration-tests</id>
<goals>
<goal>run</goal>
</goals>
<phase>integration-test</phase>
<configuration>
<properties>
<gpg.signer>bc</gpg.signer>
<!-- must be absolute -->
<gpg.keyFilePath>${project.basedir}/src/test/resources/signing-key.asc</gpg.keyFilePath>
</properties>
</configuration>
</execution>
</executions>
</plugin>
<plugin>
<!-- this failsafe invocation depends on invoker:install above -->
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-failsafe-plugin</artifactId>
<configuration>
Expand All @@ -243,27 +321,6 @@ under the License.
</execution>
</executions>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-invoker-plugin</artifactId>
<configuration>
<settingsFile>src/it/settings.xml</settingsFile>
<pomIncludes>
<pomInclude>*</pomInclude>
</pomIncludes>
<pomExcludes>
<!-- not supported with gpg 2.1+ -->
<pomExclude>alternative-secret-keyring</pomExclude>
</pomExcludes>
<goals>
<goal>clean</goal>
<goal>install</goal>
</goals>
<properties>
<gpg.homedir>${project.build.testOutputDirectory}/gnupg</gpg.homedir>
</properties>
</configuration>
</plugin>
</plugins>
</build>
</profile>
Expand Down
6 changes: 3 additions & 3 deletions src/it/sign-release-without-passphrase/verify.groovy
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@ if (!logContent.contains("Total time: ") || !logContent.contains("Finished at: "
throw new Exception("Maven build did not fail, but timed out")
}

// assert that the Maven build failed, because pinentry is not allowed in non-interactive mode
if (!logContent.contains("[GNUPG:] FAILURE sign 67108949")) {
// gpg: assert that the Maven build failed, because pinentry is not allowed in non-interactive mode
// bc: assert that the Maven build failed, because key to sign is encrypted by no passphrase provided
if (!logContent.contains("[GNUPG:] FAILURE sign 67108949") && !logContent.contains("Secret key is encrypted but no passphrase provided")) {
throw new Exception("Maven build did not fail in consequence of pinentry not being available to GPG")
}

Loading

0 comments on commit 6f50819

Please sign in to comment.