Extract load PGPSignature utility. Fix close.

src/main/java/org/simplify4u/plugins/PGPVerifyMojo.java

@@ -21,7 +21,6 @@
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
-import java.io.InputStream;
 import java.util.Arrays;
 import java.util.LinkedList;
 import java.util.List;
@@ -48,13 +47,9 @@
 import org.apache.maven.settings.Proxy;
 import org.apache.maven.settings.Settings;
 import org.bouncycastle.openpgp.PGPException;
-import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPPublicKey;
 import org.bouncycastle.openpgp.PGPPublicKeyRing;
 import org.bouncycastle.openpgp.PGPSignature;
-import org.bouncycastle.openpgp.PGPSignatureList;
-import org.bouncycastle.openpgp.PGPUtil;
-import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
 import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
 import org.codehaus.plexus.resource.loader.ResourceNotFoundException;
 import org.simplify4u.plugins.ArtifactResolver.Configuration;
@@ -441,13 +436,10 @@ private boolean verifyPGPSignature(Artifact artifact, Artifact ascArtifact) thro
         getLog().debug("Artifact sign: " + signatureFile);
 
         try {
-            InputStream sigInputStream = PGPUtil.getDecoderStream(new FileInputStream(signatureFile));
-            PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(sigInputStream, new BcKeyFingerprintCalculator());
-            PGPSignatureList sigList = (PGPSignatureList) pgpObjectFactory.nextObject();
-            if (sigList == null) {
-                throw new MojoFailureException("Invalid signature file: " + signatureFile);
+            final PGPSignature pgpSignature;
+            try (FileInputStream input = new FileInputStream(signatureFile)) {
+                pgpSignature = PGPSignatureUtils.loadSignature(input);
             }
-            PGPSignature pgpSignature = sigList.get(0);
 
             if (weakSignatures.containsKey(pgpSignature.getHashAlgorithm())) {
                 final String logMessageWeakSignature = "Weak signature algorithm used: "

src/main/java/org/simplify4u/plugins/utils/PGPSignatureUtils.java

@@ -18,13 +18,18 @@
 
 package org.simplify4u.plugins.utils;
 
+import org.bouncycastle.openpgp.PGPObjectFactory;
 import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureList;
+import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
 
 import java.io.BufferedInputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.ProtocolException;
 
 /**
  * Utilities for PGP Signature class.
@@ -35,6 +40,20 @@ private PGPSignatureUtils() {
         // No need to instantiate utility class.
     }
 
+    public static PGPSignature loadSignature(InputStream input) throws IOException {
+        InputStream sigInputStream = PGPUtil.getDecoderStream(input);
+        PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(sigInputStream, new BcKeyFingerprintCalculator());
+        Object object = pgpObjectFactory.nextObject();
+        if (!(object instanceof PGPSignatureList)) {
+            throw new ProtocolException("File content is not a PGP signature.");
+        }
+        PGPSignatureList siglist = (PGPSignatureList) object;
+        if (siglist.isEmpty()) {
+            throw new ProtocolException("PGP signature list is empty.");
+        }
+        return siglist.get(0);
+    }
+
     /**
      * Read the content of a file into the PGP signature instance (for verification).
      *

src/test/java/org/simplify4u/plugins/utils/PGPSignatureUtilsTest.java

@@ -0,0 +1,34 @@
+package org.simplify4u.plugins.utils;
+
+import org.bouncycastle.openpgp.PGPSignature;
+import org.testng.annotations.Test;
+
+import java.io.IOException;
+import java.net.ProtocolException;
+
+import static org.testng.Assert.assertEquals;
+
+public class PGPSignatureUtilsTest {
+
+    @Test(expectedExceptions = NullPointerException.class)
+    public void testLoadSignatureNull() throws IOException {
+        PGPSignatureUtils.loadSignature(null);
+    }
+
+    @Test(expectedExceptions = ProtocolException.class)
+    public void testLoadSignatureNoContent() throws IOException {
+        PGPSignatureUtils.loadSignature(getClass().getResourceAsStream("/empty.asc"));
+    }
+
+    @Test(expectedExceptions = ProtocolException.class)
+    public void testLoadSignatureContentNotSignature() throws IOException {
+        PGPSignatureUtils.loadSignature(getClass().getResourceAsStream("/3D8B00E198E21827.asc"));
+    }
+
+    @Test
+    public void testLoadSignatureContentIsSignature() throws IOException {
+        PGPSignature signature = PGPSignatureUtils.loadSignature(
+                getClass().getResourceAsStream("/helloworld-1.0.jar.asc"));
+        assertEquals(signature.getKeyID(), 0x9F1A263E15FD0AC9L);
+    }
+}

src/test/resources/helloworld-1.0.jar.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEERmWD+UgOviRixGswnxomPhX9CskFAl6+yzwACgkQnxomPhX9
+CslwWAf+IsAeoaZC0yo38k1PZ58IAeHQP9iavrfZ4LMCMxFacXmBGZF4SVniBmZ3
+o7gaQpp+EYi7LikfBDphX0iNchSn/7jGlDq8eK12JCeoyD7s0rYAYu94itQSPuvE
+MZWDD//C0pGNSoK14EZB4TdzE2Ey87+lXqBd2NKNdmSTntL+ijyOPZRMTsLs7o6F
+cEwRJQ1T2i26/uC2dpiQ4qelk/bo0eZM/BjJp6DZqjmh4CZDaY/vMTxrM5v7LNVE
+4ChAcuu3V8oiNMgWicXFRGHNqyEMrJUM6f7yx325si7ziH3l/CL1iGymVt1DdLzq
+3R/QK/dX6YGYEUjJJbxWmx7DTc3HDA==
+=DNhd
+-----END PGP SIGNATURE-----