sigstore · loosebazooka · Aug 15, 2024 · Aug 14, 2024
diff --git a/.github/workflows/examples.yaml b/.github/workflows/examples.yaml
@@ -34,28 +34,17 @@ jobs:
 
     - name: run examples against released sigstore
       working-directory: examples/hello-world
-      run: |
-        set -Eexo pipefail
-        ./gradlew clean publishMavenPublicationToExamplesRepository
-        test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
-        test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json
-        test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
-        mvn clean deploy --no-transfer-progress
-        test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
-        test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
+      run: ./test.sh
 
     - name: install sigstore java development jars into mavenLocal
       run: ./gradlew publishToMavenLocal -Prelease -PskipSigning
 
+    - name: calculate development version
+      id: dev_version
+      run: |
+        set -Exeo pipefail
+        echo "version=$(grep "^version=" gradle.properties | cut -d'=' -f2)" >> $GITHUB_OUTPUT
+
     - name: run examples against development version
       working-directory: examples/hello-world
-      run: |
-        set -Eexo pipefail
-        version="$(grep "^version=" ../../gradle.properties | cut -d'=' -f2)"
-        ./gradlew clean publishMavenPublicationToExamplesRepository -Dsigstore.version=$version
-        test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
-        test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json
-        test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
-        mvn clean deploy -Dsigstore.version=$version --no-transfer-progress
-        test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
-        test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
+      run: ./test.sh -Dsigstore.version=${{ steps.dev_version.outputs.version }}
diff --git a/examples/hello-world/README.md b/examples/hello-world/README.md
@@ -2,20 +2,28 @@
 
 Simple sigstore signing examples
 
+These examples sign with sigstore (and PGP as required by Maven Central)
+
 ## gradle
 
 ```
+$ export ORG_GRADLE_PROJECT_signingKey=$(cat ../pgp/private.key)
+$ export ORG_GRADLE_PROJECT_signingPassword=pass123
+
 $ ./gradlew clean publishMavenPublicationToExamplesRepository
 
 $ ls build/example-repo/com/example/hello-world/1.0.0/*.sigstore.json
-hellow-world-1.0.0.jar.sigstore.json
-hellow-world-1.0.0.modules.sigstore.json
-hellow-world-1.0.0.pom.sigstore.json
+hello-world-1.0.0.jar.sigstore.json
+hello-world-1.0.0.modules.sigstore.json
+hello-world-1.0.0.pom.sigstore.json
 ```
 
 ## maven
 
 ```
+$ export MAVEN_GPG_KEY=$(cat ../pgp/private.key)
+$ export MAVEN_GPG_PASSPHRASE=pass123
+
 $ mvn clean deploy
 
 $ ls target/example-repo/com/example/hello-world/1.0.0/*.sigstore.json

diff --git a/examples/hello-world/build.gradle.kts b/examples/hello-world/build.gradle.kts
@@ -3,6 +3,7 @@ plugins {
   `maven-publish`
   val sigstoreVersion = System.getProperty("sigstore.version") ?: "0.11.0"
   id("dev.sigstore.sign") version "$sigstoreVersion"
+  signing
 }
 
 version = "1.0.0"
@@ -27,3 +28,13 @@ publishing {
         }
     }
 }
+
+// sigstore signing doesn't require additional setup in build.gradle.kts
+
+// PGP signing setup for the purposes of this example.
+signing {
+    val signingKey: String? by project
+    val signingPassword: String? by project
+    useInMemoryPgpKeys(signingKey, signingPassword)
+    sign(publishing.publications["maven"])
+}
diff --git a/examples/hello-world/pom.xml b/examples/hello-world/pom.xml
@@ -25,6 +25,7 @@
         <artifactId>maven-compiler-plugin</artifactId>
         <version>3.13.0</version>
       </plugin>
+      <!-- sigstore signing config -->
       <plugin>
         <groupId>dev.sigstore</groupId>
         <artifactId>sigstore-maven-plugin</artifactId>
@@ -35,6 +36,26 @@
             <goals>
               <goal>sign</goal>
             </goals>
+            <!-- no config, sign using browser or CI credentials -->
+          </execution>
+        </executions>
+      </plugin>
+      <!-- pgp signing config -->
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-gpg-plugin</artifactId>
+        <version>3.2.5</version>
+        <executions>
+          <execution>
+            <id>sign</id>
+            <phase>verify</phase>
+            <goals>
+              <goal>sign</goal>
+            </goals>
+            <configuration>
+              <!-- read key and passphrase from env -->
+              <signer>bc</signer>
+            </configuration>
           </execution>
         </executions>
       </plugin>

diff --git a/examples/hello-world/test.sh b/examples/hello-world/test.sh
@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+export MAVEN_GPG_KEY=$(cat ../pgp/private.key)
+export MAVEN_GPG_PASSPHRASE=pass123
+export ORG_GRADLE_PROJECT_signingKey=$MAVEN_GPG_KEY
+export ORG_GRADLE_PROJECT_signingPassword=$MAVEN_GPG_PASSPHRASE
+set -x
+# gradle
+./gradlew clean publishMavenPublicationToExamplesRepository $@
+test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
+test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.sigstore.json
+test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
+test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.asc
+test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.module.asc
+test -f build/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.asc
+# maven
+mvn clean deploy --no-transfer-progress $@
+test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.sigstore.json
+test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.sigstore.json
+test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.jar.asc
+test -f target/example-repo/com/example/hello-world/1.0.0/hello-world-1.0.0.pom.asc
+# ensure no double signed (pgp and sigstore) files
+test $(find . -name "*.asc.sigstore.java" | wc -c) -eq 0
+test $(find . -name "*.sigstore.java.asc" | wc -c) -eq 0
diff --git a/examples/pgp/README.md b/examples/pgp/README.md
@@ -0,0 +1,10 @@
+## PGP test keys for examples
+
+```
+$ gpg --quick-gen-key "Test Key (DO NOT USE) <[email protected]>" rsa1024 sign never
+
+passphrase:pass123
+
+$ gpg --output private.key --armor --export-secret-key [email protected]
+$ gpg --output public.key --armor --export [email protected] 
+```
diff --git a/examples/pgp/keygen.input b/examples/pgp/keygen.input
@@ -0,0 +1,8 @@
+Key-Type: RSA
+Key-Length: 4096
+Key-Expiration: 0
+Name: Example Test Key
+Email Address: [email protected]
+Comment: DO NOT USE
+Passphrase: pass123
+Repeat the passphrase: pass123
diff --git a/examples/pgp/private.key b/examples/pgp/private.key
@@ -0,0 +1,21 @@
+-----BEGIN PGP PRIVATE KEY BLOCK-----
+
+lQIGBGa87ksBBACstX51gCUmdttBgisnx3zurn7+8hB6PnGrlZGgFBPn+SFopGCe
+u1cZgzMpZ67uDSXp2kxSgpCisBPYeUMLQ1WTijIo7E6mowKhBsnepa/siVeiJXP1
+LvvtLmQyMVDAArBcsSF4nTqb6voOuqxePvC/k0FwNIBqx0lGL9tBjg4KNwARAQAB
+/gcDAmxZ2B3s2wUt//cWOHgEPQQrzvTqJ3Gmx7eSlk3J7ITj62XxgtBbjyWXnPEN
+klWMyY7BpLWYzaJ3pVoHtLLEIAZpHkV0TUS6z6dqDqGs9RtzsYFBDGKk6BXGx6A7
+NLJZmMJuhyjScTNc62ul5zkFFK/51P4OE09ZTErticmD+TGxUNTO4dM2zWvb17mv
+9uL3lRX94DNAO1dv6fC4dJXT8XMeuc9IKacLXCaWq0cgE+rA1gAhGmMPIqOgTC1s
+AKngqROhuaJhXLR/bucPVCFRc29cb42RN+ujgaw/vv0M2MGCclrlyG5ic7K0YqmJ
+opsf+dXm6ktCYj+bGDjm1avZ1qCb9vqpNyZ4DGFf/zBl+f7Cf2fdLpuYFUNN6VNt
+adL06NbSJ8LJhaloLN8W2G226Av4NhS9l69PVkEBYBwgwvGg7b1GORdi+iIsG6Z/
+3jS9xAPUgvYymIQdsNOw7Hv83F7pw/2gPPlBG7xhdfAm/uWFijtYOCC0KFRlc3Qg
+S2V5IChETyBOT1QgVVNFKSA8dGVzdEBleGFtcGxlLmNvbT6IzgQTAQoAOBYhBBv4
+2FTtpf8iZ6LK8WaHWakuSNF5BQJmvO5LAhsDBQsJCAcCBhUKCQgLAgQWAgMBAh4B
+AheAAAoJEGaHWakuSNF5YicD/1bbCo0/S5dY1U3q7QNXKAGAIF28hd1tM7JMZ04q
+Qa56usj6+bzbCVax7CQ9ghnTYgifGOS5462KIBLzNokn/HPPRkGuac42uY67SGEV
+pd93ha7bqZUB3IuWLO2HKNXxN1AE0wTwTMW85sxSsGeUye9/dgQvpzPXbPLV5R4c
+Q7cN
+=sfrl
+-----END PGP PRIVATE KEY BLOCK-----
diff --git a/examples/pgp/public.key b/examples/pgp/public.key
@@ -0,0 +1,13 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mI0EZrzuSwEEAKy1fnWAJSZ220GCKyfHfO6ufv7yEHo+cauVkaAUE+f5IWikYJ67
+VxmDMylnru4NJenaTFKCkKKwE9h5QwtDVZOKMijsTqajAqEGyd6lr+yJV6Ilc/Uu
+++0uZDIxUMACsFyxIXidOpvq+g66rF4+8L+TQXA0gGrHSUYv20GODgo3ABEBAAG0
+KFRlc3QgS2V5IChETyBOT1QgVVNFKSA8dGVzdEBleGFtcGxlLmNvbT6IzgQTAQoA
+OBYhBBv42FTtpf8iZ6LK8WaHWakuSNF5BQJmvO5LAhsDBQsJCAcCBhUKCQgLAgQW
+AgMBAh4BAheAAAoJEGaHWakuSNF5YicD/1bbCo0/S5dY1U3q7QNXKAGAIF28hd1t
+M7JMZ04qQa56usj6+bzbCVax7CQ9ghnTYgifGOS5462KIBLzNokn/HPPRkGuac42
+uY67SGEVpd93ha7bqZUB3IuWLO2HKNXxN1AE0wTwTMW85sxSsGeUye9/dgQvpzPX
+bPLV5R4cQ7cN
+=vt0B
+-----END PGP PUBLIC KEY BLOCK-----