initial test at signing with sigstore

.mvn/maven.config

@@ -0,0 +1 @@
+-Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore

pgp-keys-map.list

@@ -33,3 +33,34 @@ org.slf4j:slf4j-api = 0x475F3B8E59E6E63AA78067482C7B12F2A511E325
 org.sonatype.plexus:plexus-cipher = 0x9FFED7A118D45A44E4A1E47130E6F80434A72A7F
 org.sonatype.plexus:plexus-sec-dispatcher = 0x2BCBDD0F23EA1CAFCC11D4860374CF2E8DD1BDFD
 org.sonatype.sisu = 0xBA926F64CA647B6D853A38672E2010F8A7FF4A41
+
+dev.sigstore = 0xF6B17CDEEE2BB5BB7D04667D4BE41A4907BCD034
+# sigstore signature https://repo.maven.apache.org/maven2/dev/sigstore/sigstore-java/0.4.0/sigstore-java-0.4.0.jar.sigstore
+# decoded with https://search.sigstore.dev/?logIndex=16039467
+#  Subject Alternative Name (critical):
+#    email:
+#    - [email protected]
+#  OIDC Issuer: https://accounts.google.com
+
+com.google.http-client = 0x47504B76CF89C15C0512D9AFE16AB52D79FD224F
+io.opencensus = 0x600EA202B1EC682F4A788E5AAC7A514BC9F9BB70
+commons-logging:commons-logging = 0x0CC641C3A62453AB390066C4A41F13C999945293
+org.apache.httpcomponents = 0x0785B3EFF60B1B1BEA94E0BB7C25280EAE63EBE5
+io.github.erdtman:java-json-canonicalization = 0x4556208EBE484FBA3984DC3D3D4FA1A9DB2FB4F4
+com.google.api.grpc:proto-google-common-protos = 0x47504B76CF89C15C0512D9AFE16AB52D79FD224F
+com.google.protobuf = 0x2E5B73C6EFD2EB453104C2EAE6EC76B4C6D3AE8E
+com.google.code.findbugs = 0x7616EB882DAF57A11477AAF559A252FB1199D873
+com.google.errorprone:error_prone_annotations = 0xE77417AC194160A3FABD04969A259C7EE636C5ED
+com.google.guava:guava = 0xBDB5FA4FE719D787FB3D3197F6D4A1D411E9D1AE
+com.google.guava:failureaccess = 0x56ED3B4843DAACC79DE555557457CA33C3CE9E15
+com.google.guava:listenablefuture = 0xBDB5FA4FE719D787FB3D3197F6D4A1D411E9D1AE
+org.checkerframework:checker-qual = 0x19BEAB2D799C020F17C69126B16698A4ADF4D638
+com.google.j2objc:j2objc-annotations = 0xB801E2F8EF035068EC1139CC29579F18FA8FD93B
+io.grpc = 0xB02335AA54CCF21E52BBF9ABD9C565AA72BA2FDD
+commons-codec:commons-codec = 0xBC87A3FD0A54480F0BADBEBD21939FF0CA2A6567
+com.google.code.gson:gson = 0xC7BE5BCC9FEC15518CFDA882B0F3710FA64900E7
+org.bouncycastle = 0x08F0AAB4D0C1A4BDDE340765B341DDB020FCB6AB
+com.google.oauth-client = 0x47504B76CF89C15C0512D9AFE16AB52D79FD224F
+io.perfmark:perfmark-api = 0xC6F7D1C804C821F49AF3BFC13AD93C3C677A106E
+com.google.android:annotations = 0x0F07D1201BDDAB67CFB84EB479752DB6C966F0B8
+org.codehaus.mojo:animal-sniffer-annotations = 0xF254B35617DC255D9344BCFA873A8E86B4372146

pom.xml

@@ -61,12 +61,24 @@ under the License.
 
   <properties>
     <mavenVersion>3.2.5</mavenVersion>
-    <javaVersion>8</javaVersion>
+    <javaVersion>11</javaVersion>
+    <maven.compiler.release>${javaVersion}</maven.compiler.release>
     <project.build.outputTimestamp>2023-05-03T01:33:44Z</project.build.outputTimestamp>
     <resource.delimiter>@</resource.delimiter>
   </properties>
 
   <dependencies>
+    <dependency>
+      <groupId>dev.sigstore</groupId>
+      <artifactId>sigstore-java</artifactId>
+      <version>0.4.0</version>
+    </dependency>
+    <dependency>
+      <groupId>com.google.protobuf</groupId>
+      <artifactId>protobuf-java</artifactId>
+      <version>3.22.0</version>
+      <scope>runtime</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven</groupId>
       <artifactId>maven-plugin-api</artifactId>
@@ -249,6 +261,15 @@ under the License.
           </execution>
         </executions>
       </plugin>
+      <plugin>
+        <groupId>org.apache.rat</groupId>
+        <artifactId>apache-rat-plugin</artifactId>
+        <configuration>
+          <excludes>
+            <exclude>.mvn/maven.config</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
     </plugins>
   </build>
 
@@ -305,5 +326,37 @@ under the License.
         </plugins>
       </build>
     </profile>
+
+    <profile>
+      <id>apache-release</id>
+      <build>
+        <pluginManagement>
+          <plugins>
+            <plugin>
+              <groupId>org.apache.maven.plugins</groupId>
+              <artifactId>maven-gpg-plugin</artifactId>
+              <version>${project.version}</version>
+            </plugin>
+          </plugins>
+        </pluginManagement>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-gpg-plugin</artifactId>
+            <configuration>
+              <public-staging>true</public-staging>
+            </configuration>
+            <executions>
+              <execution>
+                <id>sigstore-sign-release-artifacts</id>
+                <goals>
+                  <goal>sigstore</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 </project>

src/main/java/org/apache/maven/plugins/sigstore/SigstoreSignAttachedMojo.java

@@ -0,0 +1,157 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.maven.plugins.sigstore;
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.io.File;
+import java.security.cert.X509Certificate;
+import java.util.List;
+
+import dev.sigstore.KeylessSignature;
+import dev.sigstore.KeylessSigner;
+import dev.sigstore.bundle.BundleFactory;
+import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugin.MojoExecutionException;
+import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.Component;
+import org.apache.maven.plugins.annotations.LifecyclePhase;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.plugins.annotations.Parameter;
+import org.apache.maven.plugins.gpg.FilesCollector;
+import org.apache.maven.project.MavenProject;
+import org.apache.maven.project.MavenProjectHelper;
+import org.codehaus.plexus.util.FileUtils;
+
+/**
+ * Sign project artifact, the POM, and attached artifacts with sigstore for deployment.
+ *
+ * @since 3.1.1
+ */
+@Mojo(name = "sigstore", defaultPhase = LifecyclePhase.VERIFY, threadSafe = true)
+public class SigstoreSignAttachedMojo extends AbstractMojo {
+
+    /**
+     * Skip doing the gpg signing.
+     */
+    @Parameter(property = "sigstore.skip", defaultValue = "false")
+    private boolean skip;
+
+    /**
+     * A list of files to exclude from being signed. Can contain Ant-style wildcards and double wildcards. The default
+     * excludes are <code>**&#47;*.md5 **&#47;*.sha1 **&#47;*.sha256 **&#47;*.sha512 **&#47;*.asc **&#47;*.sigstore</code>.
+     */
+    @Parameter
+    private String[] excludes;
+
+    /**
+     * Use public staging {@code sigstage.dev} instead of public default {@code sigstore.dev}.
+     */
+    @Parameter(defaultValue = "false", property = "public-staging")
+    private boolean publicStaging;
+
+    /**
+     * The Maven project.
+     */
+    @Parameter(defaultValue = "${project}", readonly = true)
+    private MavenProject project;
+
+    /**
+     * Maven ProjectHelper
+     */
+    @Component
+    private MavenProjectHelper projectHelper;
+
+    @Override
+    public void execute() throws MojoExecutionException, MojoFailureException {
+        if (skip) {
+            // We're skipping the signing stuff
+            return;
+        }
+
+        // ----------------------------------------------------------------------------
+        // Collect files to sign
+        // ----------------------------------------------------------------------------
+
+        FilesCollector collector = new FilesCollector(project, excludes, getLog());
+        List<FilesCollector.Item> items = collector.collect();
+
+        // ----------------------------------------------------------------------------
+        // Sign the filesToSign and attach all the signatures
+        // ----------------------------------------------------------------------------
+
+        getLog().info("Signing " + items.size() + " file" + ((items.size() > 1) ? "s" : "") + ".");
+
+        try {
+            KeylessSigner signer;
+
+            if (publicStaging) {
+                signer = KeylessSigner.builder().sigstoreStagingDefaults().build();
+            } else {
+                signer = KeylessSigner.builder().sigstorePublicDefaults().build();
+            }
+
+            for (FilesCollector.Item item : items) {
+                File fileToSign = item.getFile();
+
+                getLog().info("Signing " + fileToSign);
+                long start = System.currentTimeMillis();
+                KeylessSignature signature = signer.signFile(fileToSign.toPath());
+
+                // sigstore signature in bundle format (json string)
+                String sigstoreBundle = BundleFactory.createBundle(signature);
+
+                File signatureFile = new File(fileToSign + ".sigstore");
+                FileUtils.fileWrite(signatureFile, "UTF-8", sigstoreBundle);
+
+                long duration = System.currentTimeMillis() - start;
+                getLog().info("        > " + signatureFile.getName() + " in " + duration + " ms");
+
+                projectHelper.attachArtifact(
+                        project, item.getExtension() + ".sigstore", item.getClassifier(), signatureFile);
+
+                getLog().info("          Rekor logIndex: "
+                        + signature.getEntry().get().getLogIndex());
+                X509Certificate cert = (X509Certificate)
+                        signature.getCertPath().getCertificates().get(0);
+                getLog().info("          Certificate Issuer DN: " + cert.getIssuerDN());
+                getLog().info("                      Subject Alternative Names: " + cert.getSubjectAlternativeNames());
+            }
+        } catch (Exception e) {
+            throw new MojoExecutionException("Error while signing with sigstore", e);
+        }
+    }
+}