Test Release
Pre-release
Pre-release
Draft: Adjust signing logic (#29) * Add logic for code quality checks * Apply auto-formatting This commit does not introduce any semantic changes in the code, it is only the result of applying the Palantir Java style. * Remove logic unrelated to style-checks * Add logic for code quality checks * Integrate additional code quality checks * Version bump * Integrate Jacoco into SonarCloud's analysis * Activate dependancy monitor provided by Github * build(deps): bump maven-surefire-plugin from 2.22.0 to 2.22.2 Bumps [maven-surefire-plugin](https://github.com/apache/maven-surefire) from 2.22.0 to 2.22.2. - [Release notes](https://github.com/apache/maven-surefire/releases) - [Commits](https://github.com/apache/maven-surefire/compare/surefire-2.22.0...surefire-2.22.2) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-surefire-plugin dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump maven-jar-plugin from 3.2.2 to 3.3.0 Bumps [maven-jar-plugin](https://github.com/apache/maven-jar-plugin) from 3.2.2 to 3.3.0. - [Release notes](https://github.com/apache/maven-jar-plugin/releases) - [Commits](https://github.com/apache/maven-jar-plugin/compare/maven-jar-plugin-3.2.2...maven-jar-plugin-3.3.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-jar-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump maven-dependency-plugin from 3.3.0 to 3.5.0 Bumps [maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.3.0 to 3.5.0. - [Release notes](https://github.com/apache/maven-dependency-plugin/releases) - [Commits](https://github.com/apache/maven-dependency-plugin/compare/maven-dependency-plugin-3.3.0...maven-dependency-plugin-3.5.0) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-dependency-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump maven-javadoc-plugin from 3.3.1 to 3.4.1 Bumps [maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.3.1 to 3.4.1. - [Release notes](https://github.com/apache/maven-javadoc-plugin/releases) - [Commits](https://github.com/apache/maven-javadoc-plugin/compare/maven-javadoc-plugin-3.3.1...maven-javadoc-plugin-3.4.1) --- updated-dependencies: - dependency-name: org.apache.maven.plugins:maven-javadoc-plugin dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * build(deps): bump slf4j-simple from 1.7.36 to 2.0.6 Bumps [slf4j-simple](https://github.com/qos-ch/slf4j) from 1.7.36 to 2.0.6. - [Release notes](https://github.com/qos-ch/slf4j/releases) - [Commits](https://github.com/qos-ch/slf4j/compare/v_1.7.36...v_2.0.6) --- updated-dependencies: - dependency-name: org.slf4j:slf4j-simple dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> * Add GUI for interactive signing * Complete GUI for the sign process * Adjust GUI script, skeleton of build logic * Separate SonarCloud analysis from OWASP dependency checker * Address CVE-2021-26291 jacoco-maven-plugin has some dependencies of its own, we override one of them * Integrate sign logic into CI * Adjust sign logic * Take path to signature file as command line arg * Adjust CI to also build sources jar * Invoke signer for the sources jar as well * Build and sign the javadoc jar too * Compute hashes of files to be signed, for subsequent uploading to Maven * Add workflow for publishing to Nexus as a snapshot * Fix file name in CI job * Include SHA1 in the produced hashes, Maven Central requires them * Upload to Maven + prettify CI run commands * Dance around SignClient's current working dir limitations * Pass all generated files in target/ between jobs Otherwise mvn jar:jar in the next job will produce an empty jar * Preserve artifacts at the very end of the process Signatures, hashes and the jars themselves * Bump version to 2.2.3 To test if this will take and upload the signatures * Update POM details to meet Maven Central requirements * Copy pom.xml to the target directory and sign it too * Add maven-gpg-plugin + dummy gpg wrapper We sign it with SignClient, so we don't need the GPG-related logic, but it seems that unless this plugin is included, signatures are not even checked for. * Adjust pom.xml signing logic + gpg dummy wrapper logic * Make the dummy GPG wrapper behave more like the real GPG * Copy all the jars and sigs to nexus' staging directory before staging * Recreate the nexus staging directory This is needed when dealing with a freshly checked-out repo * Build sources and javadoc at the same time you do the packaging * Build and sign on the same machine * Try to build and sign twice, let the first operation fail * Use alterantive approach, by pretending we're GPG * Update Python GPG wrapper The original Powershell wrapper cannot be invoked as a standalone executable (akin to having an executable script on *nix). This is a workaround. * Use ECDSA instead of RSA, apply client authentication * Use the signrequest feature of SignServer * Use smart card pkcs11 authentication for signing * Provide key alias to signClient, load it from config * Adjust GUI, change labels, text size, widget order Just some cosmetic changes * Improve logging when invoking signclient * Interrupt entire signature process when a single failure occurs * Transmit key alias in quotes, and escape them Otherwise, if the key alias contains spaces, the process will fail * Use a RichText widget for rendering the paths The file names will be bold, to make them stand out * Use a BAT file wrapper instead of Python This is a much better way to wrap gpg-wrap.ps1, since there is no dependency on Python or the need to run a binary compiled by nuitka or something like it. * Remove cruft, update comments * Remove cruft from Github action, trigger build/sign on release * Suppress a false positive detection of CVE-2022-45688 + cleanup * Do not invoke GPG signatures in jobs where it doesn't matter * Remove unused sign-gui script for single files * Adjust path when executing signclient, delete obsolete GUI script * Adjust command line for invoking signclient --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>