Use same credentials for MAC based protection at Downstream

• If outgoing message is configured to be reprotected, any configuration of outgoing credentials is ignored and the verification credentials are used instead.

4.1.4

fix protection of NESTED responses

v4.1.3

• Implement JSON/YAML message dumper
• Fix nested messages
• Update dependencies

v4.1.2

• Added detailed logging facilities to know which configuration the CmpRaComponent was initialized with
• Bumped up dependencies

v4.1.0

• Add revocation checking via inventory interface.
• Fix extension processing in CMP client
• Use newer versions of dependencies

v4.0.0

Add possibility to replace the recipient in the CMP header for outgoing messages sent by the RA

v3.0.1

Merge pull request #62 from siemens/license-check

Draft: Add tools for checking and enforcing license compliance

v2.6.6

Add test credential generation, fix key usage in test credentials
Update dependencies

v2.6.5

Maintenance release with updated dependencies. This is the first version to be published on Maven Central.

Test Release

Draft: Adjust signing logic (#29)

* Add logic for code quality checks

* Apply auto-formatting

This commit does not introduce any semantic changes in the code,
it is only the result of applying the Palantir Java style.

* Remove logic unrelated to style-checks

* Add logic for code quality checks

* Integrate additional code quality checks

* Version bump

* Integrate Jacoco into SonarCloud's analysis

* Activate dependancy monitor provided by Github

* build(deps): bump maven-surefire-plugin from 2.22.0 to 2.22.2

Bumps [maven-surefire-plugin](https://github.com/apache/maven-surefire) from 2.22.0 to 2.22.2.
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](https://github.com/apache/maven-surefire/compare/surefire-2.22.0...surefire-2.22.2)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump maven-jar-plugin from 3.2.2 to 3.3.0

Bumps [maven-jar-plugin](https://github.com/apache/maven-jar-plugin) from 3.2.2 to 3.3.0.
- [Release notes](https://github.com/apache/maven-jar-plugin/releases)
- [Commits](https://github.com/apache/maven-jar-plugin/compare/maven-jar-plugin-3.2.2...maven-jar-plugin-3.3.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-jar-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump maven-dependency-plugin from 3.3.0 to 3.5.0

Bumps [maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.3.0 to 3.5.0.
- [Release notes](https://github.com/apache/maven-dependency-plugin/releases)
- [Commits](https://github.com/apache/maven-dependency-plugin/compare/maven-dependency-plugin-3.3.0...maven-dependency-plugin-3.5.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-dependency-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump maven-javadoc-plugin from 3.3.1 to 3.4.1

Bumps [maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.3.1 to 3.4.1.
- [Release notes](https://github.com/apache/maven-javadoc-plugin/releases)
- [Commits](https://github.com/apache/maven-javadoc-plugin/compare/maven-javadoc-plugin-3.3.1...maven-javadoc-plugin-3.4.1)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-javadoc-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump slf4j-simple from 1.7.36 to 2.0.6

Bumps [slf4j-simple](https://github.com/qos-ch/slf4j) from 1.7.36 to 2.0.6.
- [Release notes](https://github.com/qos-ch/slf4j/releases)
- [Commits](https://github.com/qos-ch/slf4j/compare/v_1.7.36...v_2.0.6)

---
updated-dependencies:
- dependency-name: org.slf4j:slf4j-simple
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Add GUI for interactive signing

* Complete GUI for the sign process

* Adjust GUI script, skeleton of build logic

* Separate SonarCloud analysis from OWASP dependency checker

* Address CVE-2021-26291

jacoco-maven-plugin has some dependencies of its own, we override one
of them

* Integrate sign logic into CI

* Adjust sign logic

* Take path to signature file as command line arg

* Adjust CI to also build sources jar

* Invoke signer for the sources jar as well

* Build and sign the javadoc jar too

* Compute hashes of files to be signed, for subsequent uploading to Maven

* Add workflow for publishing to Nexus as a snapshot

* Fix file name in CI job

* Include SHA1 in the produced hashes, Maven Central requires them

* Upload to Maven + prettify CI run commands

* Dance around SignClient's current working dir limitations

* Pass all generated files in target/ between jobs

Otherwise mvn jar:jar in the next job will produce an empty jar

* Preserve artifacts at the very end of the process

Signatures, hashes and the jars themselves

* Bump version to 2.2.3

To test if this will take and upload the signatures

* Update POM details to meet Maven Central requirements

* Copy pom.xml to the target directory and sign it too

* Add maven-gpg-plugin + dummy gpg wrapper

We sign it with SignClient, so we don't need the GPG-related logic, but
it seems that unless this plugin is included, signatures are not even
checked for.

* Adjust pom.xml signing logic + gpg dummy wrapper logic

* Make the dummy GPG wrapper behave more like the real GPG

* Copy all the jars and sigs to nexus' staging directory before staging

* Recreate the nexus staging directory

This is needed when dealing with a freshly checked-out repo

* Build sources and javadoc at the same time you do the packaging

* Build and sign on the same machine

* Try to build and sign twice, let the first operation fail

* Use alterantive approach, by pretending we're GPG

* Update Python GPG wrapper

The original Powershell wrapper cannot be invoked as a standalone
executable (akin to having an executable script on *nix). This is
a workaround.

* Use ECDSA instead of RSA, apply client authentication

* Use the signrequest feature of SignServer

* Use smart card pkcs11 authentication for signing

* Provide key alias to signClient, load it from config

* Adjust GUI, change labels, text size, widget order

Just some cosmetic changes

* Improve logging when invoking signclient

* Interrupt entire signature process when a single failure occurs

* Transmit key alias in quotes, and escape them

Otherwise, if the key alias contains spaces, the process will fail

* Use a RichText widget for rendering the paths

The file names will be bold, to make them stand out

* Use a BAT file wrapper instead of Python

This is a much better way to wrap gpg-wrap.ps1, since there is no
dependency on Python or the need to run a binary compiled by nuitka
or something like it.

* Remove cruft, update comments

* Remove cruft from Github action, trigger build/sign on release

* Suppress a false positive detection of CVE-2022-45688 + cleanup

* Do not invoke GPG signatures in jobs where it doesn't matter

* Remove unused sign-gui script for single files

* Adjust path when executing signclient, delete obsolete GUI script

* Adjust command line for invoking signclient

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>