Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Some parameters in tycho-gpg:sign-p2-artifacts do not apply to bouncycastle #1723

Open
kwin opened this issue Nov 24, 2022 · 2 comments
Open

Some parameters in tycho-gpg:sign-p2-artifacts do not apply to bouncycastle #1723

kwin opened this issue Nov 24, 2022 · 2 comments

Comments

@kwin
Copy link
Contributor

kwin commented Nov 24, 2022
edited

A lot of parameters documented in tycho-gpg:sign-p2-artifacts are inherited from gpg-maven-plugin: https://tycho.eclipseprojects.io/doc/latest/tycho-gpg-plugin/sign-p2-artifacts-mojo.html#optional-parameters. All those are currently not evaluated by BC (added in #1720) but only by GPG. This should be clarified in the documentation.

There are also some problems with inheriting from Mojos in another artifact (as outlined in apache/maven-plugin-tools#167 (comment)). Probably the best would be to no longer inherit from https://maven.apache.org/plugins/maven-gpg-plugin/sign-mojo.html but just delegate to it and duplicate all relevant parameters (and clarify in the description how they are evaluated with BC).
kwin referenced this issue Nov 24, 2022
@merks @laeubi
Enhance the PGP signing support.
a769e22 
Improve support for how already-PGP-signed artifacts are handled to
support skip, replace, or merge.

Use SignedContentFactory for checking jar signatures which allows for
skipping jars that are only signed by certificates anchored in Java's
cacerts.

Support PGP signing features, and optionally also binary artifacts.

Support using Bouncy Castle for signing to improve performance and to
allow signing to be done in parallel.  This also better support
providing integration tests for the various sign-p2-artifacts mojo's
options.

Ensure that only keys actually used by signatures are added to the
repository and/or artifact properties.  Determining the default key is
needed only when signing with Bouncy Castle, in which case it's
determined by signing a document and checking which key is used; that's
because the default key can be specified in the gpg.conf so just
listing the secret key fingerprints will not always correctly identify
the correct default.

For testing purposes, support generating key information and loading it.
Use that to provide integration tests for the new options as well as for
existing options.

#1466
@laeubi
Copy link
Member

laeubi commented Nov 24, 2022

In general it would be good if the maven-pgp-plugin would offer an extension point where Tycho can plug in to get notified and can offer additional artifacts to be signed. The it would even make sense to implement BC part there also so even maven users can benfit from BC implementation of PGP signing...

@kwin
Copy link
Contributor Author

kwin commented Nov 24, 2022

There is already https://www.simplify4u.org/sign-maven-plugin/index.html for GPG signatures with BouncyCastle.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kwin @laeubi