-
Notifications
You must be signed in to change notification settings - Fork 20
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Integrate sigstore/sigstore-maven-plugin into repo
- Move sigstore-maven-plugin in sigstore/sigstore-java - Make it a gradle module (and build with gradle :o! sorry) Signed-off-by: Appu Goundan <[email protected]>
- Loading branch information
1 parent
4905f83
commit db9f33f
Showing
16 changed files
with
667 additions
and
39 deletions.
There are no files selected for viewing
44 changes: 44 additions & 0 deletions
44
...gic/publishing/src/main/kotlin/build-logic.depends-on-local-sigstore-java-repo.gradle.kts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
import org.gradle.api.attributes.Bundling | ||
import org.gradle.api.attributes.Category | ||
import org.gradle.kotlin.dsl.* | ||
import java.io.File | ||
|
||
plugins { | ||
java | ||
} | ||
|
||
val sigstoreJavaRuntime by configurations.creating { | ||
description = "declares dependencies that will be useful for testing purposes" | ||
isCanBeConsumed = false | ||
isCanBeResolved = false | ||
} | ||
|
||
val sigstoreJavaTestClasspath by configurations.creating { | ||
description = "sigstore-java in local repository for testing purposes" | ||
isCanBeConsumed = false | ||
isCanBeResolved = true | ||
extendsFrom(sigstoreJavaRuntime) | ||
attributes { | ||
attribute(Category.CATEGORY_ATTRIBUTE, objects.named("maven-repository")) | ||
attribute(Bundling.BUNDLING_ATTRIBUTE, objects.named(Bundling.EXTERNAL)) | ||
} | ||
} | ||
|
||
tasks.test { | ||
dependsOn(sigstoreJavaTestClasspath) | ||
systemProperty("sigstore.test.current.version", version) | ||
val projectDir = layout.projectDirectory.asFile | ||
// This adds paths to the local repositories that contain currently-built sigstore-java | ||
// It enables testing both "sigstore-java from Central" and "sigstore-java build locally" in the plugin tests | ||
jvmArgumentProviders.add( | ||
// Gradle does not support Provider for systemProperties yet, see https://github.com/gradle/gradle/issues/12247 | ||
CommandLineArgumentProvider { | ||
listOf( | ||
"-Dsigstore.test.local.maven.repo=" + | ||
sigstoreJavaTestClasspath.joinToString(File.pathSeparator) { | ||
it.toRelativeString(projectDir) | ||
}, | ||
) | ||
} | ||
) | ||
} |
43 changes: 43 additions & 0 deletions
43
...ishing/src/main/kotlin/build-logic.depends-on-local-sigstore-maven-plugin-repo.gradle.kts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
import org.gradle.api.attributes.Bundling | ||
import org.gradle.api.attributes.Category | ||
import org.gradle.kotlin.dsl.* | ||
import java.io.File | ||
|
||
plugins { | ||
java | ||
} | ||
|
||
val sigstoreMavenPluginRuntime by configurations.creating { | ||
description = "declares dependencies that will be useful for testing purposes" | ||
isCanBeConsumed = false | ||
isCanBeResolved = false | ||
} | ||
|
||
val sigstoreMavenPluginTestClasspath by configurations.creating { | ||
description = "sigstore-maven-plugin in local repository for testing purposes" | ||
isCanBeConsumed = false | ||
isCanBeResolved = true | ||
extendsFrom(sigstoreMavenPluginRuntime) | ||
attributes { | ||
attribute(Category.CATEGORY_ATTRIBUTE, objects.named("maven-repository")) | ||
attribute(Bundling.BUNDLING_ATTRIBUTE, objects.named(Bundling.EXTERNAL)) | ||
} | ||
} | ||
|
||
tasks.test { | ||
dependsOn(sigstoreMavenPluginTestClasspath) | ||
systemProperty("sigstore.test.current.maven.plugin.version", version) | ||
val projectDir = layout.projectDirectory.asFile | ||
// This adds paths to the local repositories that contain currently-built sigstore-maven-plugin | ||
jvmArgumentProviders.add( | ||
// Gradle does not support Provider for systemProperties yet, see https://github.com/gradle/gradle/issues/12247 | ||
CommandLineArgumentProvider { | ||
listOf( | ||
"-Dsigstore.test.local.maven.plugin.repo=" + | ||
sigstoreMavenPluginTestClasspath.joinToString(File.pathSeparator) { | ||
it.toRelativeString(projectDir) | ||
}, | ||
) | ||
} | ||
) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
2 changes: 2 additions & 0 deletions
2
build-logic/publishing/src/main/kotlin/build-logic.publish-to-tmp-maven-repo.gradle.kts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,5 @@ | ||
import org.gradle.kotlin.dsl.registering | ||
|
||
plugins { | ||
id("java-library") | ||
id("maven-publish") | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
.vscode | ||
.factorypath | ||
.project | ||
.classpath | ||
.settings/ | ||
*.iml | ||
*.ipr | ||
.idea | ||
*.class | ||
*.jar | ||
target/ | ||
pom.xml.tag | ||
pom.xml.releaseBackup | ||
pom.xml.versionsBackup | ||
pom.xml.next | ||
pom.xml.bak | ||
release.properties | ||
dependency-reduced-pom.xml | ||
buildNumber.properties | ||
.mvn/timing.properties | ||
.mvn/wrapper/maven-wrapper.jar | ||
.apt_generated/ | ||
.apt_generated_tests/ | ||
bin/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,36 @@ | ||
sigstore-maven-plugin | ||
===================== | ||
|
||
[![Maven Central](https://img.shields.io/maven-central/v/dev.sigstore/sigstore-maven-plugin.svg?label=Maven%20Central)](https://central.sonatype.com/artifact/dev.sigstore/sigstore-maven-plugin) | ||
|
||
This is a Maven plugin that can be used to use the "keyless" signing paradigm supported by Sigstore. | ||
This plugin is still in early phases, then has known limitations described below. | ||
|
||
sign | ||
---- | ||
|
||
```xml | ||
<plugin> | ||
<groupId>dev.sigstore</groupId> | ||
<artifactId>sigstore-maven-plugin</artifactId> | ||
<version>0.4.0</version> | ||
<executions> | ||
<execution> | ||
<id>sign</id> | ||
<goals> | ||
<goal>sign</goal> | ||
</goals> | ||
</execution> | ||
</executions> | ||
</plugin> | ||
``` | ||
|
||
Notes: | ||
|
||
- GPG: Maven Central publication rules require GPG signing each files: to avoid GPG signing of `.sigstore.json` files, just use version 3.1.0 minimum of [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/). | ||
- `.md5`/`.sha1`: to avoid unneeded checksum files for `.sigstore.java` files, use Maven 3.9.2 minimum or create `.mvn/maven.config` file containing `-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.java` | ||
|
||
Known limitations: | ||
|
||
- Maven multi-module build: each module will require an OIDC authentication, | ||
- 10 minutes signing session: if a build takes more than 10 minutes, a new OIDC authentication will be required each 10 minutes. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
plugins { | ||
id("build-logic.java-published-library") | ||
id("build-logic.test-junit5") | ||
id("build-logic.depends-on-local-sigstore-java-repo") | ||
id("build-logic.depends-on-local-sigstore-maven-plugin-repo") | ||
id("de.benediktritter.maven-plugin-development") version "0.4.3" | ||
} | ||
|
||
dependencies { | ||
compileOnly("org.apache.maven:maven-plugin-api:3.9.8") | ||
compileOnly("org.apache.maven:maven-core:3.9.8") | ||
compileOnly("org.apache.maven:maven-core:3.9.8") | ||
compileOnly("org.apache.maven.plugin-tools:maven-plugin-annotations:3.13.1") | ||
|
||
implementation(project(":sigstore-java")) | ||
implementation("org.bouncycastle:bcutil-jdk18on:1.78.1") | ||
implementation("org.apache.maven.plugins:maven-gpg-plugin:3.1.0") | ||
|
||
testImplementation("org.apache.maven.shared:maven-verifier:1.8.0") | ||
|
||
testImplementation(project(":sigstore-testkit")) | ||
|
||
sigstoreJavaRuntime(project(":sigstore-java")) { | ||
because("Test code needs access locally-built sigstore-java as a Maven repository") | ||
} | ||
sigstoreMavenPluginRuntime(project(":sigstore-maven-plugin")) { | ||
because("Test code needs access locally-built sigstore-java as a Maven repository") | ||
} | ||
} |
89 changes: 89 additions & 0 deletions
89
sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/FulcioOidHelper.java
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
/* | ||
* Copyright 2023 The Sigstore Authors. | ||
* | ||
* Licensed under the Apache License, Version 2.0 (the "License"); | ||
* you may not use this file except in compliance with the License. | ||
* You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, software | ||
* distributed under the License is distributed on an "AS IS" BASIS, | ||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
* See the License for the specific language governing permissions and | ||
* limitations under the License. | ||
*/ | ||
package dev.sigstore.plugin; | ||
|
||
import java.io.IOException; | ||
import java.nio.charset.StandardCharsets; | ||
import java.security.cert.X509Certificate; | ||
import org.bouncycastle.asn1.ASN1Primitive; | ||
import org.bouncycastle.asn1.ASN1Sequence; | ||
import org.bouncycastle.asn1.ASN1String; | ||
import org.bouncycastle.asn1.DEROctetString; | ||
|
||
/** | ||
* Helper to decode Fulcio OID data, see <a | ||
* href="https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md">Sigstore OID | ||
* information</a>. | ||
*/ | ||
public class FulcioOidHelper { | ||
private static final String SIGSTORE_OID_ROOT = "1.3.6.1.4.1.57264"; | ||
private static final String FULCIO_OID_ROOT = SIGSTORE_OID_ROOT + ".1"; | ||
|
||
@Deprecated private static final String FULCIO_ISSUER_OID = FULCIO_OID_ROOT + ".1"; | ||
|
||
private static final String FULCIO_ISSUER_V2_OID = FULCIO_OID_ROOT + ".8"; | ||
|
||
public static String getIssuer(X509Certificate cert) { | ||
String issuerV2 = getIssuerV2(cert); | ||
if (issuerV2 == null) { | ||
return getIssuerV1(cert); | ||
} | ||
return issuerV2; | ||
} | ||
|
||
@Deprecated | ||
public static String getIssuerV1(X509Certificate cert) { | ||
return getExtensionValue(cert, FULCIO_ISSUER_OID, true); | ||
} | ||
|
||
public static String getIssuerV2(X509Certificate cert) { | ||
return getExtensionValue(cert, FULCIO_ISSUER_V2_OID, false); | ||
} | ||
|
||
/* Extracts the octets from an extension value and converts to utf-8 directly, it does NOT | ||
* account for any ASN1 encoded value. If the extension value is an ASN1 object (like an | ||
* ASN1 encoded string), you need to write a new extraction helper. */ | ||
private static String getExtensionValue(X509Certificate cert, String oid, boolean rawUtf8) { | ||
byte[] extensionValue = cert.getExtensionValue(oid); | ||
|
||
if (extensionValue == null) { | ||
return null; | ||
} | ||
try { | ||
ASN1Primitive derObject = ASN1Sequence.fromByteArray(cert.getExtensionValue(oid)); | ||
if (derObject instanceof DEROctetString) { | ||
DEROctetString derOctetString = (DEROctetString) derObject; | ||
if (rawUtf8) { | ||
// this is unusual, but the octet is a raw utf8 string in fulcio land (no prefix of type) | ||
// and not an ASN1 object. | ||
return new String(derOctetString.getOctets(), StandardCharsets.UTF_8); | ||
} | ||
|
||
derObject = ASN1Sequence.fromByteArray(derOctetString.getOctets()); | ||
if (derObject instanceof ASN1String) { | ||
ASN1String s = (ASN1String) derObject; | ||
return s.getString(); | ||
} | ||
} | ||
throw new RuntimeException( | ||
"Could not parse extension " | ||
+ oid | ||
+ " in certificate because it was not an octet string"); | ||
} catch (IOException ioe) { | ||
throw new RuntimeException("Could not parse extension " + oid + " in certificate", ioe); | ||
} | ||
} | ||
} |
Oops, something went wrong.