Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom signing task to ignore sigstore sigs #604

Closed
wants to merge 1 commit into from
Closed

Custom signing task to ignore sigstore sigs #604

wants to merge 1 commit into from

Conversation

loosebazooka
Copy link
Member

@loosebazooka loosebazooka commented Jan 10, 2024
edited
Loading

This is the best I could do for this 🤷 ?

@ljacomet @vlsi wdyt?

It's basically re-implementing parts of the sign extension/task internals to ignore sigstore files. It not fully featured (doesn't handle whenObjectRemoved, etc)

@vlsi
Copy link
Collaborator

vlsi commented Jan 11, 2024

I would rather expose it as dev.sigstore.unsign-sigstore-pgp plugin which removes pgp signatures if added by Gradle.
Then everybody can use the plugin as they see fit as long as gradle/gradle#26760 is still open.

WDYT?

@loosebazooka
Copy link
Member Author

Sure, is it possible for it to just be a configuration setting on the sigstore sign plugin?

@vlsi
Copy link
Collaborator

vlsi commented Jan 11, 2024

There might be use cases for not using sigstore's "sign everything with sigstore" dev.sigstore.sign plugin, however, users might still want to "unsign .sigstore.asc".

So the feature of "unsigning" is a well-defined one, and it fits for a new plugin just fine.

Of course, our umbrella dev.sigstore.sign plugin could automatically apply dev.sigstore.unsign.pgp (and allow an escape hatch), however, it makes perfect sense to factor unsign into its plugin.

See https://docs.gradle.org/current/userguide/designing_gradle_plugins.html#capabilities-vs-conventions for more details:

One way to provide these quality criteria is to separate capabilities from conventions. In practice that means separating general-purpose functionality from pre-configured, opinionated functionality

"unsign pgp" is a capability while "dev.sigstore.sign" is a convention to "sign everything with sigstore and unsign sigstore.pgp"

@loosebazooka
Copy link
Member Author

gotcha, is this something you might have some bandwidth for right now?

vlsi added a commit to vlsi/sigstore-java that referenced this pull request Jan 12, 2024
@vlsi
feat: remove .sigstore.asc signatures if added by signing plugin
d1ef6c6 
By default, the plugin will remove .sigstore.asc.
Project property dev.sigstore.sign.remove.sigstore.asc=false
would keep .sigstore.asc files if they are needed

Closes sigstore#604

Signed-off-by: Vladimir Sitnikov <[email protected]>
@vlsi vlsi mentioned this pull request Jan 12, 2024
Merged
@vlsi vlsi closed this in bfd0cd6 Jan 12, 2024
@loosebazooka loosebazooka deleted the skipPgpOnSigstore branch December 13, 2024 16:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@loosebazooka @vlsi