From 69978e6e009ce76e8ec2b469d24763c89c87c466 Mon Sep 17 00:00:00 2001 From: Appu Goundan Date: Wed, 14 Aug 2024 11:08:05 -0400 Subject: [PATCH] Update GPG maven plugin dependency This ignores .sigstore.json files by default. See: https://issues.apache.org/jira/browse/MGPG-130 Signed-off-by: Appu Goundan --- sigstore-maven-plugin/README.md | 4 ++-- sigstore-maven-plugin/build.gradle.kts | 2 +- .../sigstore/plugin/SigstoreSignAttachedMojo.java | 14 ++------------ 3 files changed, 5 insertions(+), 15 deletions(-) diff --git a/sigstore-maven-plugin/README.md b/sigstore-maven-plugin/README.md index 61b23308..0ac05cd6 100644 --- a/sigstore-maven-plugin/README.md +++ b/sigstore-maven-plugin/README.md @@ -47,8 +47,8 @@ See [GitHub documentation](https://docs.github.com/en/actions/deployment/securit Notes: - -- `.md5`/`.sha1`: to avoid unneeded checksum files for `.sigstore.java` files, use Maven 3.9.2 minimum or create `.mvn/maven.config` file containing `-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.java` +- GPG: Maven Central publication rules require GPG signing. To avoid GPG signing of `.sigstore.json` signature files, use version 3.2.5 or higher of [maven-gpg-plugin](https://maven.apache.org/plugins/maven-gpg-plugin/). +- `.md5`/`.sha1`: to avoid unneeded checksum files for `.sigstore.java` files, use Maven 3.9.2 or higher, or create `.mvn/maven.config` file containing `-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.java` Known limitations: diff --git a/sigstore-maven-plugin/build.gradle.kts b/sigstore-maven-plugin/build.gradle.kts index 18be217d..9f6d5628 100644 --- a/sigstore-maven-plugin/build.gradle.kts +++ b/sigstore-maven-plugin/build.gradle.kts @@ -16,7 +16,7 @@ dependencies { implementation(project(":sigstore-java")) implementation("org.bouncycastle:bcutil-jdk18on:1.78.1") - implementation("org.apache.maven.plugins:maven-gpg-plugin:3.2.4") + implementation("org.apache.maven.plugins:maven-gpg-plugin:3.2.5") testImplementation("org.apache.maven.shared:maven-verifier:1.8.0") diff --git a/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java b/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java index 9daf6a8a..5d57794a 100644 --- a/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java +++ b/sigstore-maven-plugin/src/main/java/dev/sigstore/plugin/SigstoreSignAttachedMojo.java @@ -40,22 +40,13 @@ public class SigstoreSignAttachedMojo extends AbstractMojo { private static final String BUNDLE_EXTENSION = ".sigstore.json"; - // TODO: this can potentially be derived from mvn-gpg-plugin:FilesCollector.java, - // but that requires a change in that plugin before it makes sense here. - private static final String DEFAULT_EXCLUDES[] = - new String[] { - "**/*.md5", "**/*.sha1", "**/*.sha256", "**/*.sha512", "**/*.asc", "**/*.sigstore.json" - }; - /** Skip doing the sigstore signing. */ @Parameter(property = "sigstore.skip", defaultValue = "false") private boolean skip; /** * A list of files to exclude from being signed. Can contain Ant-style wildcards and double - * wildcards. The default excludes are - * **/*.md5 **/*.sha1 **/*.sha256 **/*.sha512 **/*.asc **/*.sigstore.json - * . + * wildcards. The defaults are defined in DEFAULT_EXCLUDES in {@link FilesCollector}. */ @Parameter private String[] excludes; @@ -81,8 +72,7 @@ public void execute() throws MojoExecutionException, MojoFailureException { // Collect files to sign // ---------------------------------------------------------------------------- - FilesCollector collector = - new FilesCollector(project, (excludes == null) ? DEFAULT_EXCLUDES : excludes, getLog()); + FilesCollector collector = new FilesCollector(project, excludes, getLog()); List items = collector.collect(); // ----------------------------------------------------------------------------