diff --git a/build-logic/publishing/build.gradle.kts b/build-logic/publishing/build.gradle.kts index b3b53828..e1d88a4d 100644 --- a/build-logic/publishing/build.gradle.kts +++ b/build-logic/publishing/build.gradle.kts @@ -10,6 +10,6 @@ dependencies { implementation(project(":basics")) implementation(project(":jvm")) implementation("dev.sigstore.build-logic:gradle-plugin") - implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.7.0") + implementation("dev.sigstore:sigstore-gradle-sign-plugin:0.8.0") implementation("com.gradle.plugin-publish:com.gradle.plugin-publish.gradle.plugin:1.2.1") } diff --git a/gradle.properties b/gradle.properties index 7fe461ed..9dc3174f 100644 --- a/gradle.properties +++ b/gradle.properties @@ -4,4 +4,4 @@ systemProp.org.gradle.kotlin.dsl.precompiled.accessors.strict=true group=dev.sigstore # remember to update SigstoreSignExtension.kt and build-logic/publishing/build.gradle.kts when updating this -version=0.8.0 +version=0.9.0 diff --git a/sigstore-gradle/README.md b/sigstore-gradle/README.md index 49489b49..da31a74b 100644 --- a/sigstore-gradle/README.md +++ b/sigstore-gradle/README.md @@ -2,10 +2,8 @@ A Gradle plugin for signing artifacts with Sigstore. -## The current state - -`dev.sigstore.sign` has no releases yet. -Signature format uses [Sigstore bundle](https://github.com/sigstore/cosign/pull/2204) JSON which is still experimental. +`dev.sigstore.sign` is available on the gradle plugin portal. +Signature format uses [Sigstore bundle](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) JSON as the output format. ## Requirements @@ -46,7 +44,7 @@ plugins { dependencies { // Override sigstore-java clients - sigstoreClient("dev.sigstore:sigstore-java:0.1.0") + sigstoreClient("dev.sigstore:sigstore-java:") } sigstoreSign { @@ -121,8 +119,8 @@ val zip by tasks.registering(Zip::class) { ### Signature format -The signature uses [Sigstore bundle](https://github.com/sigstore/cosign/pull/2204) JSON -stored as `.sigstore` file. +The signature uses [Sigstore bundle](https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_bundle.proto) JSON +stored as `.sigstore.json` file. The file includes all the information for offline signature verification. @@ -136,8 +134,8 @@ Provides `SigstoreSignFilesTask` task for signing files in Sigstore. The plugin adds no tasks by default. Properties: -* `dev.sigstore.sign.remove.sigstore.asc` (since 0.6.0, default: `true`). Removes `.sigstore.asc` files from the publication. - Sonatype OSSRH supports publishing `.sigstore` signatures, and it does not require `.sigstore.asc` files, so +* `dev.sigstore.sign.remove.sigstore.asc` (since 0.6.0, default: `true`). Removes `.sigstore.json.asc` files from the publication. + Sonatype OSSRH supports publishing `.sigstore.json` signatures, and it does not require `.sigstore.json.asc` files, so `dev.sigstore.sign` plugin removes them by default. If you need to sign all the files, set this property to `false`. Extensions: diff --git a/sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt b/sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt index f2340db7..162b23de 100644 --- a/sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt +++ b/sigstore-gradle/sigstore-gradle-sign-base-plugin/src/main/kotlin/dev/sigstore/sign/SigstoreSignExtension.kt @@ -44,7 +44,7 @@ abstract class SigstoreSignExtension(private val project: Project) { abstract val sigstoreJavaVersion : Property init { - sigstoreJavaVersion.convention("0.8.0") + sigstoreJavaVersion.convention("0.9.0") (this as ExtensionAware).extensions.create( "oidcClient", project.objects,