From da0ab55409927af41374e25b8849580f763a5882 Mon Sep 17 00:00:00 2001 From: Appu Goundan Date: Wed, 14 Aug 2024 15:35:08 -0400 Subject: [PATCH] add pgp signing to examples Signed-off-by: Appu Goundan --- .github/workflows/examples.yaml | 27 ++++++++------------------- examples/hello-world/README.md | 14 +++++++++++--- examples/hello-world/build.gradle.kts | 11 +++++++++++ examples/hello-world/pom.xml | 21 +++++++++++++++++++++ examples/hello-world/test.sh | 24 ++++++++++++++++++++++++ examples/pgp/README.md | 10 ++++++++++ examples/pgp/keygen.input | 8 ++++++++ examples/pgp/private.key | 21 +++++++++++++++++++++ examples/pgp/public.key | 13 +++++++++++++ 9 files changed, 127 insertions(+), 22 deletions(-) create mode 100755 examples/hello-world/test.sh create mode 100644 examples/pgp/README.md create mode 100644 examples/pgp/keygen.input create mode 100644 examples/pgp/private.key create mode 100644 examples/pgp/public.key diff --git a/.github/workflows/examples.yaml b/.github/workflows/examples.yaml index f7adb07a..241e670d 100644 --- a/.github/workflows/examples.yaml +++ b/.github/workflows/examples.yaml @@ -34,28 +34,17 @@ jobs: - name: run examples against released sigstore working-directory: examples/hello-world - run: | - set -Eexo pipefail - ./gradlew clean publishMavenPublicationToExamplesRepository - test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json - test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json - test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json - mvn clean deploy --no-transfer-progress - test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json - test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json + run: test.sh - name: install sigstore java development jars into mavenLocal run: ./gradlew publishToMavenLocal -Prelease -PskipSigning + - name: calculate development version + id: dev_version + run: | + set -Exeo pipefail + echo "version=$(grep "^version=" ../../gradle.properties | cut -d'=' -f2)" >> $GITHUB_OUTPUT + - name: run examples against development version working-directory: examples/hello-world - run: | - set -Eexo pipefail - version="$(grep "^version=" ../../gradle.properties | cut -d'=' -f2)" - ./gradlew clean publishMavenPublicationToExamplesRepository -Dsigstore.version=$version - test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json - test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json - test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json - mvn clean deploy -Dsigstore.version=$version --no-transfer-progress - test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json - test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json + run: test.sh -Dsigstore.version=${{ steps.dev_version.outputs.version }} diff --git a/examples/hello-world/README.md b/examples/hello-world/README.md index 027bfcb0..7eb0ccee 100644 --- a/examples/hello-world/README.md +++ b/examples/hello-world/README.md @@ -2,20 +2,28 @@ Simple sigstore signing examples +These examples sign with sigstore (and PGP as required by Maven Central) + ## gradle ``` +$ export ORG_GRADLE_PROJECT_signingKey=$(cat ../pgp/private.key) +$ export ORG_GRADLE_PROJECT_signingPassword=pass123 + $ ./gradlew clean publishMavenPublicationToExamplesRepository $ ls build/example-repo/com/example/hello-world/1.0.0/*.sigstore.json -hellow-world-1.0.0.jar.sigstore.json -hellow-world-1.0.0.modules.sigstore.json -hellow-world-1.0.0.pom.sigstore.json +hello-world-1.0.0.jar.sigstore.json +hello-world-1.0.0.modules.sigstore.json +hello-world-1.0.0.pom.sigstore.json ``` ## maven ``` +$ export MAVEN_GPG_KEY=$(cat ../pgp/private.key) +$ export MAVEN_GPG_PASSPHRASE=pass123 + $ mvn clean deploy $ ls target/example-repo/com/example/hello-world/1.0.0/*.sigstore.json diff --git a/examples/hello-world/build.gradle.kts b/examples/hello-world/build.gradle.kts index 05e94e6e..e493a7f8 100644 --- a/examples/hello-world/build.gradle.kts +++ b/examples/hello-world/build.gradle.kts @@ -3,6 +3,7 @@ plugins { `maven-publish` val sigstoreVersion = System.getProperty("sigstore.version") ?: "0.11.0" id("dev.sigstore.sign") version "$sigstoreVersion" + signing } version = "1.0.0" @@ -27,3 +28,13 @@ publishing { } } } + +// sigstore signing doesn't require additional setup in build.gradle.kts + +// PGP signing setup for the purposes of this example. +signing { + val signingKey: String? by project + val signingPassword: String? by project + useInMemoryPgpKeys(signingKey, signingPassword) + sign(publishing.publications["maven"]) +} diff --git a/examples/hello-world/pom.xml b/examples/hello-world/pom.xml index ce9d3881..0f2d389e 100644 --- a/examples/hello-world/pom.xml +++ b/examples/hello-world/pom.xml @@ -25,6 +25,7 @@ maven-compiler-plugin 3.13.0 + dev.sigstore sigstore-maven-plugin @@ -35,6 +36,26 @@ sign + + + + + + + org.apache.maven.plugins + maven-gpg-plugin + 3.2.5 + + + sign + verify + + sign + + + + bc + diff --git a/examples/hello-world/test.sh b/examples/hello-world/test.sh new file mode 100755 index 00000000..a7e0bb92 --- /dev/null +++ b/examples/hello-world/test.sh @@ -0,0 +1,24 @@ +#!/usr/bin/env bash +set -Eeo pipefail +export MAVEN_GPG_KEY=$(cat ../pgp/private.key) +export MAVEN_GPG_PASSPHRASE=pass123 +export ORG_GRADLE_PROJECT_signingKey=$MAVEN_GPG_KEY +export ORG_GRADLE_PROJECT_signingPassword=$MAVEN_GPG_PASSPHRASE +set -x +# gradle +./gradlew clean publishMavenPublicationToExamplesRepository $@ +test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json +test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json +test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json +test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.asc +test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.asc +test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.asc +# maven +mvn clean deploy --no-transfer-progress $@ +test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json +test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json +test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.asc +test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.asc +# ensure no double signed (pgp and sigstore) files +test $(find . -name "*.asc.sigstore.java" | wc -c) -eq 0 +test $(find . -name "*.sigstore.java.asc" | wc -c) -eq 0 diff --git a/examples/pgp/README.md b/examples/pgp/README.md new file mode 100644 index 00000000..5c0afbd9 --- /dev/null +++ b/examples/pgp/README.md @@ -0,0 +1,10 @@ +## PGP test keys for examples + +``` +$ gpg --quick-gen-key "Test Key (DO NOT USE) " rsa1024 sign never + +passphrase:pass123 + +$ gpg --output private.key --armor --export-secret-key test@example.com +$ gpg --output public.key --armor --export test@example.com +``` diff --git a/examples/pgp/keygen.input b/examples/pgp/keygen.input new file mode 100644 index 00000000..3e53bfc5 --- /dev/null +++ b/examples/pgp/keygen.input @@ -0,0 +1,8 @@ +Key-Type: RSA +Key-Length: 4096 +Key-Expiration: 0 +Name: Example Test Key +Email Address: test@example.com +Comment: DO NOT USE +Passphrase: pass123 +Repeat the passphrase: pass123 diff --git a/examples/pgp/private.key b/examples/pgp/private.key new file mode 100644 index 00000000..d9b6c209 --- /dev/null +++ b/examples/pgp/private.key @@ -0,0 +1,21 @@ +-----BEGIN PGP PRIVATE KEY BLOCK----- + +lQIGBGa87ksBBACstX51gCUmdttBgisnx3zurn7+8hB6PnGrlZGgFBPn+SFopGCe +u1cZgzMpZ67uDSXp2kxSgpCisBPYeUMLQ1WTijIo7E6mowKhBsnepa/siVeiJXP1 +LvvtLmQyMVDAArBcsSF4nTqb6voOuqxePvC/k0FwNIBqx0lGL9tBjg4KNwARAQAB +/gcDAmxZ2B3s2wUt//cWOHgEPQQrzvTqJ3Gmx7eSlk3J7ITj62XxgtBbjyWXnPEN +klWMyY7BpLWYzaJ3pVoHtLLEIAZpHkV0TUS6z6dqDqGs9RtzsYFBDGKk6BXGx6A7 +NLJZmMJuhyjScTNc62ul5zkFFK/51P4OE09ZTErticmD+TGxUNTO4dM2zWvb17mv +9uL3lRX94DNAO1dv6fC4dJXT8XMeuc9IKacLXCaWq0cgE+rA1gAhGmMPIqOgTC1s +AKngqROhuaJhXLR/bucPVCFRc29cb42RN+ujgaw/vv0M2MGCclrlyG5ic7K0YqmJ +opsf+dXm6ktCYj+bGDjm1avZ1qCb9vqpNyZ4DGFf/zBl+f7Cf2fdLpuYFUNN6VNt +adL06NbSJ8LJhaloLN8W2G226Av4NhS9l69PVkEBYBwgwvGg7b1GORdi+iIsG6Z/ +3jS9xAPUgvYymIQdsNOw7Hv83F7pw/2gPPlBG7xhdfAm/uWFijtYOCC0KFRlc3Qg +S2V5IChETyBOT1QgVVNFKSA8dGVzdEBleGFtcGxlLmNvbT6IzgQTAQoAOBYhBBv4 +2FTtpf8iZ6LK8WaHWakuSNF5BQJmvO5LAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B +AheAAAoJEGaHWakuSNF5YicD/1bbCo0/S5dY1U3q7QNXKAGAIF28hd1tM7JMZ04q +Qa56usj6+bzbCVax7CQ9ghnTYgifGOS5462KIBLzNokn/HPPRkGuac42uY67SGEV +pd93ha7bqZUB3IuWLO2HKNXxN1AE0wTwTMW85sxSsGeUye9/dgQvpzPXbPLV5R4c +Q7cN +=sfrl +-----END PGP PRIVATE KEY BLOCK----- diff --git a/examples/pgp/public.key b/examples/pgp/public.key new file mode 100644 index 00000000..ffba0711 --- /dev/null +++ b/examples/pgp/public.key @@ -0,0 +1,13 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mI0EZrzuSwEEAKy1fnWAJSZ220GCKyfHfO6ufv7yEHo+cauVkaAUE+f5IWikYJ67 +VxmDMylnru4NJenaTFKCkKKwE9h5QwtDVZOKMijsTqajAqEGyd6lr+yJV6Ilc/Uu +++0uZDIxUMACsFyxIXidOpvq+g66rF4+8L+TQXA0gGrHSUYv20GODgo3ABEBAAG0 +KFRlc3QgS2V5IChETyBOT1QgVVNFKSA8dGVzdEBleGFtcGxlLmNvbT6IzgQTAQoA +OBYhBBv42FTtpf8iZ6LK8WaHWakuSNF5BQJmvO5LAhsDBQsJCAcCBhUKCQgLAgQW +AgMBAh4BAheAAAoJEGaHWakuSNF5YicD/1bbCo0/S5dY1U3q7QNXKAGAIF28hd1t +M7JMZ04qQa56usj6+bzbCVax7CQ9ghnTYgifGOS5462KIBLzNokn/HPPRkGuac42 +uY67SGEVpd93ha7bqZUB3IuWLO2HKNXxN1AE0wTwTMW85sxSsGeUye9/dgQvpzPX +bPLV5R4cQ7cN +=vt0B +-----END PGP PUBLIC KEY BLOCK-----