Skip to content

Commit

Permalink
Merge pull request #776 from sigstore/add-pgp-to-examples
Browse files Browse the repository at this point in the history
add pgp signing to examples
  • Loading branch information
loosebazooka authored Aug 15, 2024
2 parents b516ebc + 1b88424 commit a8c1fc3
Show file tree
Hide file tree
Showing 9 changed files with 127 additions and 22 deletions.
27 changes: 8 additions & 19 deletions .github/workflows/examples.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -34,28 +34,17 @@ jobs:

- name: run examples against released sigstore
working-directory: examples/hello-world
run: |
set -Eexo pipefail
./gradlew clean publishMavenPublicationToExamplesRepository
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
mvn clean deploy --no-transfer-progress
test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
run: ./test.sh

- name: install sigstore java development jars into mavenLocal
run: ./gradlew publishToMavenLocal -Prelease -PskipSigning

- name: calculate development version
id: dev_version
run: |
set -Exeo pipefail
echo "version=$(grep "^version=" gradle.properties | cut -d'=' -f2)" >> $GITHUB_OUTPUT
- name: run examples against development version
working-directory: examples/hello-world
run: |
set -Eexo pipefail
version="$(grep "^version=" ../../gradle.properties | cut -d'=' -f2)"
./gradlew clean publishMavenPublicationToExamplesRepository -Dsigstore.version=$version
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
mvn clean deploy -Dsigstore.version=$version --no-transfer-progress
test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
run: ./test.sh -Dsigstore.version=${{ steps.dev_version.outputs.version }}
14 changes: 11 additions & 3 deletions examples/hello-world/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,28 @@

Simple sigstore signing examples

These examples sign with sigstore (and PGP as required by Maven Central)

## gradle

```
$ export ORG_GRADLE_PROJECT_signingKey=$(cat ../pgp/private.key)
$ export ORG_GRADLE_PROJECT_signingPassword=pass123
$ ./gradlew clean publishMavenPublicationToExamplesRepository
$ ls build/example-repo/com/example/hello-world/1.0.0/*.sigstore.json
hellow-world-1.0.0.jar.sigstore.json
hellow-world-1.0.0.modules.sigstore.json
hellow-world-1.0.0.pom.sigstore.json
hello-world-1.0.0.jar.sigstore.json
hello-world-1.0.0.modules.sigstore.json
hello-world-1.0.0.pom.sigstore.json
```

## maven

```
$ export MAVEN_GPG_KEY=$(cat ../pgp/private.key)
$ export MAVEN_GPG_PASSPHRASE=pass123
$ mvn clean deploy
$ ls target/example-repo/com/example/hello-world/1.0.0/*.sigstore.json
Expand Down
11 changes: 11 additions & 0 deletions examples/hello-world/build.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ plugins {
`maven-publish`
val sigstoreVersion = System.getProperty("sigstore.version") ?: "0.11.0"
id("dev.sigstore.sign") version "$sigstoreVersion"
signing
}

version = "1.0.0"
Expand All @@ -27,3 +28,13 @@ publishing {
}
}
}

// sigstore signing doesn't require additional setup in build.gradle.kts

// PGP signing setup for the purposes of this example.
signing {
val signingKey: String? by project
val signingPassword: String? by project
useInMemoryPgpKeys(signingKey, signingPassword)
sign(publishing.publications["maven"])
}
21 changes: 21 additions & 0 deletions examples/hello-world/pom.xml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
<artifactId>maven-compiler-plugin</artifactId>
<version>3.13.0</version>
</plugin>
<!-- sigstore signing config -->
<plugin>
<groupId>dev.sigstore</groupId>
<artifactId>sigstore-maven-plugin</artifactId>
Expand All @@ -35,6 +36,26 @@
<goals>
<goal>sign</goal>
</goals>
<!-- no config, sign using browser or CI credentials -->
</execution>
</executions>
</plugin>
<!-- pgp signing config -->
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-gpg-plugin</artifactId>
<version>3.2.5</version>
<executions>
<execution>
<id>sign</id>
<phase>verify</phase>
<goals>
<goal>sign</goal>
</goals>
<configuration>
<!-- read key and passphrase from env -->
<signer>bc</signer>
</configuration>
</execution>
</executions>
</plugin>
Expand Down
24 changes: 24 additions & 0 deletions examples/hello-world/test.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
#!/usr/bin/env bash
set -Eeo pipefail
export MAVEN_GPG_KEY=$(cat ../pgp/private.key)
export MAVEN_GPG_PASSPHRASE=pass123
export ORG_GRADLE_PROJECT_signingKey=$MAVEN_GPG_KEY
export ORG_GRADLE_PROJECT_signingPassword=$MAVEN_GPG_PASSPHRASE
set -x
# gradle
./gradlew clean publishMavenPublicationToExamplesRepository $@
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.asc
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.asc
test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.asc
# maven
mvn clean deploy --no-transfer-progress $@
test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.asc
test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.asc
# ensure no double signed (pgp and sigstore) files
test $(find . -name "*.asc.sigstore.java" | wc -c) -eq 0
test $(find . -name "*.sigstore.java.asc" | wc -c) -eq 0
10 changes: 10 additions & 0 deletions examples/pgp/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
## PGP test keys for examples

```
$ gpg --quick-gen-key "Test Key (DO NOT USE) <[email protected]>" rsa1024 sign never
passphrase:pass123
$ gpg --output private.key --armor --export-secret-key [email protected]
$ gpg --output public.key --armor --export [email protected]
```
8 changes: 8 additions & 0 deletions examples/pgp/keygen.input
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
Key-Type: RSA
Key-Length: 4096
Key-Expiration: 0
Name: Example Test Key
Email Address: [email protected]
Comment: DO NOT USE
Passphrase: pass123
Repeat the passphrase: pass123
21 changes: 21 additions & 0 deletions examples/pgp/private.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN PGP PRIVATE KEY BLOCK-----

lQIGBGa87ksBBACstX51gCUmdttBgisnx3zurn7+8hB6PnGrlZGgFBPn+SFopGCe
u1cZgzMpZ67uDSXp2kxSgpCisBPYeUMLQ1WTijIo7E6mowKhBsnepa/siVeiJXP1
LvvtLmQyMVDAArBcsSF4nTqb6voOuqxePvC/k0FwNIBqx0lGL9tBjg4KNwARAQAB
/gcDAmxZ2B3s2wUt//cWOHgEPQQrzvTqJ3Gmx7eSlk3J7ITj62XxgtBbjyWXnPEN
klWMyY7BpLWYzaJ3pVoHtLLEIAZpHkV0TUS6z6dqDqGs9RtzsYFBDGKk6BXGx6A7
NLJZmMJuhyjScTNc62ul5zkFFK/51P4OE09ZTErticmD+TGxUNTO4dM2zWvb17mv
9uL3lRX94DNAO1dv6fC4dJXT8XMeuc9IKacLXCaWq0cgE+rA1gAhGmMPIqOgTC1s
AKngqROhuaJhXLR/bucPVCFRc29cb42RN+ujgaw/vv0M2MGCclrlyG5ic7K0YqmJ
opsf+dXm6ktCYj+bGDjm1avZ1qCb9vqpNyZ4DGFf/zBl+f7Cf2fdLpuYFUNN6VNt
adL06NbSJ8LJhaloLN8W2G226Av4NhS9l69PVkEBYBwgwvGg7b1GORdi+iIsG6Z/
3jS9xAPUgvYymIQdsNOw7Hv83F7pw/2gPPlBG7xhdfAm/uWFijtYOCC0KFRlc3Qg
S2V5IChETyBOT1QgVVNFKSA8dGVzdEBleGFtcGxlLmNvbT6IzgQTAQoAOBYhBBv4
2FTtpf8iZ6LK8WaHWakuSNF5BQJmvO5LAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
AheAAAoJEGaHWakuSNF5YicD/1bbCo0/S5dY1U3q7QNXKAGAIF28hd1tM7JMZ04q
Qa56usj6+bzbCVax7CQ9ghnTYgifGOS5462KIBLzNokn/HPPRkGuac42uY67SGEV
pd93ha7bqZUB3IuWLO2HKNXxN1AE0wTwTMW85sxSsGeUye9/dgQvpzPXbPLV5R4c
Q7cN
=sfrl
-----END PGP PRIVATE KEY BLOCK-----
13 changes: 13 additions & 0 deletions examples/pgp/public.key
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----

mI0EZrzuSwEEAKy1fnWAJSZ220GCKyfHfO6ufv7yEHo+cauVkaAUE+f5IWikYJ67
VxmDMylnru4NJenaTFKCkKKwE9h5QwtDVZOKMijsTqajAqEGyd6lr+yJV6Ilc/Uu
++0uZDIxUMACsFyxIXidOpvq+g66rF4+8L+TQXA0gGrHSUYv20GODgo3ABEBAAG0
KFRlc3QgS2V5IChETyBOT1QgVVNFKSA8dGVzdEBleGFtcGxlLmNvbT6IzgQTAQoA
OBYhBBv42FTtpf8iZ6LK8WaHWakuSNF5BQJmvO5LAhsDBQsJCAcCBhUKCQgLAgQW
AgMBAh4BAheAAAoJEGaHWakuSNF5YicD/1bbCo0/S5dY1U3q7QNXKAGAIF28hd1t
M7JMZ04qQa56usj6+bzbCVax7CQ9ghnTYgifGOS5462KIBLzNokn/HPPRkGuac42
uY67SGEVpd93ha7bqZUB3IuWLO2HKNXxN1AE0wTwTMW85sxSsGeUye9/dgQvpzPX
bPLV5R4cQ7cN
=vt0B
-----END PGP PUBLIC KEY BLOCK-----

0 comments on commit a8c1fc3

Please sign in to comment.