Skip to content

Commit

Permalink
Draft: Adjust signing logic (#29)
Browse files Browse the repository at this point in the history
* Add logic for code quality checks

* Apply auto-formatting

This commit does not introduce any semantic changes in the code,
it is only the result of applying the Palantir Java style.

* Remove logic unrelated to style-checks

* Add logic for code quality checks

* Integrate additional code quality checks

* Version bump

* Integrate Jacoco into SonarCloud's analysis

* Activate dependancy monitor provided by Github

* build(deps): bump maven-surefire-plugin from 2.22.0 to 2.22.2

Bumps [maven-surefire-plugin](https://github.com/apache/maven-surefire) from 2.22.0 to 2.22.2.
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](apache/maven-surefire@surefire-2.22.0...surefire-2.22.2)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump maven-jar-plugin from 3.2.2 to 3.3.0

Bumps [maven-jar-plugin](https://github.com/apache/maven-jar-plugin) from 3.2.2 to 3.3.0.
- [Release notes](https://github.com/apache/maven-jar-plugin/releases)
- [Commits](apache/maven-jar-plugin@maven-jar-plugin-3.2.2...maven-jar-plugin-3.3.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-jar-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump maven-dependency-plugin from 3.3.0 to 3.5.0

Bumps [maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.3.0 to 3.5.0.
- [Release notes](https://github.com/apache/maven-dependency-plugin/releases)
- [Commits](apache/maven-dependency-plugin@maven-dependency-plugin-3.3.0...maven-dependency-plugin-3.5.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-dependency-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump maven-javadoc-plugin from 3.3.1 to 3.4.1

Bumps [maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.3.1 to 3.4.1.
- [Release notes](https://github.com/apache/maven-javadoc-plugin/releases)
- [Commits](apache/maven-javadoc-plugin@maven-javadoc-plugin-3.3.1...maven-javadoc-plugin-3.4.1)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-javadoc-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump slf4j-simple from 1.7.36 to 2.0.6

Bumps [slf4j-simple](https://github.com/qos-ch/slf4j) from 1.7.36 to 2.0.6.
- [Release notes](https://github.com/qos-ch/slf4j/releases)
- [Commits](qos-ch/slf4j@v_1.7.36...v_2.0.6)

---
updated-dependencies:
- dependency-name: org.slf4j:slf4j-simple
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Add GUI for interactive signing

* Complete GUI for the sign process

* Adjust GUI script, skeleton of build logic

* Separate SonarCloud analysis from OWASP dependency checker

* Address CVE-2021-26291

jacoco-maven-plugin has some dependencies of its own, we override one
of them

* Integrate sign logic into CI

* Adjust sign logic

* Take path to signature file as command line arg

* Adjust CI to also build sources jar

* Invoke signer for the sources jar as well

* Build and sign the javadoc jar too

* Compute hashes of files to be signed, for subsequent uploading to Maven

* Add workflow for publishing to Nexus as a snapshot

* Fix file name in CI job

* Include SHA1 in the produced hashes, Maven Central requires them

* Upload to Maven + prettify CI run commands

* Dance around SignClient's current working dir limitations

* Pass all generated files in target/ between jobs

Otherwise mvn jar:jar in the next job will produce an empty jar

* Preserve artifacts at the very end of the process

Signatures, hashes and the jars themselves

* Bump version to 2.2.3

To test if this will take and upload the signatures

* Update POM details to meet Maven Central requirements

* Copy pom.xml to the target directory and sign it too

* Add maven-gpg-plugin + dummy gpg wrapper

We sign it with SignClient, so we don't need the GPG-related logic, but
it seems that unless this plugin is included, signatures are not even
checked for.

* Adjust pom.xml signing logic + gpg dummy wrapper logic

* Make the dummy GPG wrapper behave more like the real GPG

* Copy all the jars and sigs to nexus' staging directory before staging

* Recreate the nexus staging directory

This is needed when dealing with a freshly checked-out repo

* Build sources and javadoc at the same time you do the packaging

* Build and sign on the same machine

* Try to build and sign twice, let the first operation fail

* Use alterantive approach, by pretending we're GPG

* Update Python GPG wrapper

The original Powershell wrapper cannot be invoked as a standalone
executable (akin to having an executable script on *nix). This is
a workaround.

* Use ECDSA instead of RSA, apply client authentication

* Use the signrequest feature of SignServer

* Use smart card pkcs11 authentication for signing

* Provide key alias to signClient, load it from config

* Adjust GUI, change labels, text size, widget order

Just some cosmetic changes

* Improve logging when invoking signclient

* Interrupt entire signature process when a single failure occurs

* Transmit key alias in quotes, and escape them

Otherwise, if the key alias contains spaces, the process will fail

* Use a RichText widget for rendering the paths

The file names will be bold, to make them stand out

* Use a BAT file wrapper instead of Python

This is a much better way to wrap gpg-wrap.ps1, since there is no
dependency on Python or the need to run a binary compiled by nuitka
or something like it.

* Remove cruft, update comments

* Remove cruft from Github action, trigger build/sign on release

* Suppress a false positive detection of CVE-2022-45688 + cleanup

* Do not invoke GPG signatures in jobs where it doesn't matter

* Remove unused sign-gui script for single files

* Adjust path when executing signclient, delete obsolete GUI script

* Adjust command line for invoking signclient

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • Loading branch information
ralienpp and dependabot[bot] authored Apr 13, 2023
1 parent 8e07913 commit 198bdf5
Showing 1 changed file with 3 additions and 2 deletions.
5 changes: 3 additions & 2 deletions scripts/sign-gui.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -287,15 +287,16 @@ function InvokeSignClient($srcPath, $dstPath, $logPath) {
$port = $urlParts[1]

# Here we form the command line that will be invoked, note that relative paths will be made absolute
$command = './signclient.cmd'
$command = 'signclient.cmd'
$arguments = "signdocument -signrequest -workername $($CONFIG.signServerWorker) -infile $srcPath -outfile $dstPath -host $hostName -port $port -truststore $($CONFIG.trustStorePathServer) -truststorepwd $($CONFIG.trustStorePathServerPassword) -keystoretype PKCS11_CONFIG -keystore $($CONFIG.pkcs11settings) -keystorepwd $($PasswordValue.Text) -keyalias `"$($CONFIG.pkcs11KeyAlias)`" -clientside -digestalgorithm SHA512 -filetype PGP -extraoption DETACHED_SIGNATURE=TRUE -extraoption KEY_ALGORITHM=ECDSA -extraoption KEY_ID=$($CONFIG.signServerKeyId)"

# uncomment the two lines below to simulate a successful signature
# $command = 'ping'
# $arguments = '8.8.8.8'
# WATCH OUT: here we change the directory to the place where signclient is located, because it does not work
# otherwise. We set it back later, so the calling logic doesn't need to know about it.
$process = Start-Process $command -ArgumentList $arguments -NoNewWindow -Wait -PassThru -RedirectStandardOutput $logPath -WorkingDirectory $CONFIG.signClientPath
$process = Start-Process $command -ArgumentList $arguments -NoNewWindow -Wait -PassThru -RedirectStandardOutput $logPath -WorkingDirectory $($CONFIG.signClientPath)


# log complete command to the log file, to ease troubleshooting
"`n`n`nThe executed command was: $command $arguments" | Out-File -FilePath $logPath -Append -encoding UTF8
Expand Down

0 comments on commit 198bdf5

Please sign in to comment.