[MGPG-106] Introduce new signer: BC (#72)

This introduces new pure Java signer BC backed one. Currently two signers supported: "gpg" (uses external executable, as before), and "bc" (uses pure Java Bouncy Castle backed signer).

All the ITs (invoker and surefire) are _reused_ and now run twice, once with "gpg" and once with "bc". One IT needed adjustment, as BC does not emit error about "pinentry".

---

https://issues.apache.org/jira/browse/MGPG-106

pgp-keys-map.list

@@ -15,8 +15,13 @@
 # specific language governing permissions and limitations
 # under the License.
 
+com.kohlschutter.junixsocket:junixsocket-common = 0xB5C082F1158B8C92AE3E5E1C29B8FEA02804261C
+com.kohlschutter.junixsocket:junixsocket-core = 0xB5C082F1158B8C92AE3E5E1C29B8FEA02804261C
+com.kohlschutter.junixsocket:junixsocket-native-common = 0xB5C082F1158B8C92AE3E5E1C29B8FEA02804261C
 commons-io:commons-io = 0x2DB4F1EF0FA761ECC4EA935C86FDC7E2A11262CB
 org.apiguardian:apiguardian-api = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
+org.bouncycastle:bcpg-jdk18on = 0x7B121B76A7ED6CE6E60AD51784E913A8E3A748C0
+org.bouncycastle:bcprov-jdk18on = 0x7B121B76A7ED6CE6E60AD51784E913A8E3A748C0
 org.junit.jupiter:junit-jupiter-api = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
 org.junit.jupiter:junit-jupiter-params = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51
 org.junit.platform:junit-platform-commons = 0xFF6E2C001948C5F2F38B0CC385911F425EC61B51

pom.xml

@@ -60,9 +60,10 @@ under the License.
   </distributionManagement>
 
   <properties>
+    <javaVersion>8</javaVersion>
     <mavenVersion>3.9.6</mavenVersion>
     <resolverVersion>1.9.18</resolverVersion>
-    <javaVersion>8</javaVersion>
+    <bouncycastleVersion>1.77</bouncycastleVersion>
     <project.build.outputTimestamp>2023-05-03T01:33:44Z</project.build.outputTimestamp>
     <resource.delimiter>@</resource.delimiter>
   </properties>
@@ -120,6 +121,22 @@ under the License.
       <artifactId>plexus-utils</artifactId>
       <version>3.5.1</version>
     </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpg-jdk18on</artifactId>
+      <version>${bouncycastleVersion}</version>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk18on</artifactId>
+      <version>${bouncycastleVersion}</version>
+    </dependency>
+    <dependency>
+      <groupId>com.kohlschutter.junixsocket</groupId>
+      <artifactId>junixsocket-core</artifactId>
+      <version>2.9.0</version>
+      <type>pom</type>
+    </dependency>
 
     <dependency>
       <groupId>org.junit.jupiter</groupId>
@@ -179,8 +196,8 @@ under the License.
           <artifactId>apache-rat-plugin</artifactId>
           <configuration>
             <excludes combine.children="append">
-              <!-- rat check errors seen on ASF Jenkins instance, but not on local machine... -->
-              <exclude>src/test/resources/gnupg/**</exclude>
+              <!-- rat is too cheeky, ignore these resources -->
+              <exclude>src/test/resources/**</exclude>
             </excludes>
           </configuration>
         </plugin>
@@ -220,6 +237,67 @@ under the License.
       <build>
         <plugins>
           <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-invoker-plugin</artifactId>
+            <configuration>
+              <settingsFile>src/it/settings.xml</settingsFile>
+              <pomIncludes>
+                <pomInclude>*</pomInclude>
+              </pomIncludes>
+              <pomExcludes>
+                <!-- not supported with gpg 2.1+ -->
+                <pomExclude>alternative-secret-keyring</pomExclude>
+              </pomExcludes>
+              <goals>
+                <goal>clean</goal>
+                <goal>install</goal>
+              </goals>
+              <properties>
+                <gpg.homedir>${project.build.testOutputDirectory}/gnupg</gpg.homedir>
+              </properties>
+            </configuration>
+            <executions>
+              <execution>
+                <id>integration-test</id>
+                <phase>none</phase>
+              </execution>
+              <execution>
+                <id>integration-test-install</id>
+                <goals>
+                  <goal>install</goal>
+                </goals>
+                <phase>integration-test</phase>
+              </execution>
+              <execution>
+                <id>gpg-integration-tests</id>
+                <goals>
+                  <goal>run</goal>
+                </goals>
+                <phase>integration-test</phase>
+                <configuration>
+                  <properties>
+                    <gpg.signer>gpg</gpg.signer>
+                  </properties>
+                </configuration>
+              </execution>
+              <execution>
+                <id>bc-integration-tests</id>
+                <goals>
+                  <goal>run</goal>
+                </goals>
+                <phase>integration-test</phase>
+                <configuration>
+                  <properties>
+                    <gpg.signer>bc</gpg.signer>
+                    <!-- must be absolute -->
+                    <gpg.keyFilePath>${project.basedir}/src/test/resources/signing-key.asc</gpg.keyFilePath>
+                  </properties>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+          <plugin>
+            <!-- this failsafe invocation depends on invoker:install above -->
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-failsafe-plugin</artifactId>
             <configuration>
@@ -243,27 +321,6 @@ under the License.
               </execution>
             </executions>
           </plugin>
-          <plugin>
-            <groupId>org.apache.maven.plugins</groupId>
-            <artifactId>maven-invoker-plugin</artifactId>
-            <configuration>
-              <settingsFile>src/it/settings.xml</settingsFile>
-              <pomIncludes>
-                <pomInclude>*</pomInclude>
-              </pomIncludes>
-              <pomExcludes>
-                <!-- not supported with gpg 2.1+ -->
-                <pomExclude>alternative-secret-keyring</pomExclude>
-              </pomExcludes>
-              <goals>
-                <goal>clean</goal>
-                <goal>install</goal>
-              </goals>
-              <properties>
-                <gpg.homedir>${project.build.testOutputDirectory}/gnupg</gpg.homedir>
-              </properties>
-            </configuration>
-          </plugin>
         </plugins>
       </build>
     </profile>

src/it/sign-release-without-passphrase/verify.groovy

@@ -28,8 +28,8 @@ if (!logContent.contains("Total time: ") || !logContent.contains("Finished at: "
     throw new Exception("Maven build did not fail, but timed out")
 }
 
-// assert that the Maven build failed, because pinentry is not allowed in non-interactive mode
-if (!logContent.contains("[GNUPG:] FAILURE sign 67108949")) {
+// gpg: assert that the Maven build failed, because pinentry is not allowed in non-interactive mode
+// bc: assert that the Maven build failed, because key to sign is encrypted by no passphrase provided
+if (!logContent.contains("[GNUPG:] FAILURE sign 67108949") && !logContent.contains("Secret key is encrypted but no passphrase provided")) {
     throw new Exception("Maven build did not fail in consequence of pinentry not being available to GPG")
 }
-