[MRESOLVER-599] Sigstore Artifact Generator

maven-resolver-generator-gnupg/pom.xml

@@ -33,7 +33,6 @@
 
   <properties>
     <javaVersion>17</javaVersion>
-    <bouncycastleVersion>1.78.1</bouncycastleVersion>
   </properties>
 
   <dependencies>
@@ -69,17 +68,14 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpg-jdk18on</artifactId>
-      <version>${bouncycastleVersion}</version>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk18on</artifactId>
-      <version>${bouncycastleVersion}</version>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcutil-jdk18on</artifactId>
-      <version>${bouncycastleVersion}</version>
     </dependency>
 
     <dependency>

maven-resolver-generator-sigstore/pom.xml

@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.apache.maven.resolver</groupId>
+    <artifactId>maven-resolver</artifactId>
+    <version>2.0.2-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>maven-resolver-generator-sigstore</artifactId>
+
+  <name>Maven Artifact Resolver Sigstore Signer Generator</name>
+  <description>A generator implementation for Sigstore signatures.</description>
+
+  <properties>
+    <javaVersion>17</javaVersion>
+    <sigstoreVersion>1.0.0</sigstoreVersion>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-spi</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-util</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.inject</groupId>
+      <artifactId>javax.inject</artifactId>
+      <scope>provided</scope>
+      <optional>true</optional>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.sisu</groupId>
+      <artifactId>org.eclipse.sisu.inject</artifactId>
+      <scope>provided</scope>
+      <optional>true</optional>
+    </dependency>
+
+    <dependency>
+      <groupId>dev.sigstore</groupId>
+      <artifactId>sigstore-java</artifactId>
+      <version>${sigstoreVersion}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpg-jdk18on</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk18on</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcutil-jdk18on</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-test-util</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-simple</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.rat</groupId>
+        <artifactId>apache-rat-plugin</artifactId>
+        <configuration>
+          <excludes combine.children="append">
+            <exclude>src/test/resources/gpg-signing/**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.eclipse.sisu</groupId>
+        <artifactId>sisu-maven-plugin</artifactId>
+      </plugin>
+    </plugins>
+  </build>
+</project>

maven-resolver-generator-sigstore/src/main/java/org/eclipse/aether/generator/sigstore/SigstoreConfigurationKeys.java

@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.eclipse.aether.generator.sigstore;
+
+import org.eclipse.aether.ConfigurationProperties;
+import org.eclipse.aether.RepositorySystemSession;
+
+/**
+ * Configuration for Sigstore Signer.
+ *
+ * @since 2.0.2
+ */
+public final class SigstoreConfigurationKeys {
+    private SigstoreConfigurationKeys() {}
+
+    static final String NAME = "sigstore";
+
+    static final String CONFIG_PROPS_PREFIX = ConfigurationProperties.PREFIX_GENERATOR + NAME + ".";
+
+    /**
+     * Whether Sigstore signer is enabled.
+     *
+     * @configurationSource {@link RepositorySystemSession#getConfigProperties()}
+     * @configurationType {@link Boolean}
+     * @configurationDefaultValue {@link #DEFAULT_ENABLED}
+     */
+    public static final String CONFIG_PROP_ENABLED = CONFIG_PROPS_PREFIX + "enabled";
+
+    public static final boolean DEFAULT_ENABLED = false;
+
+    /**
+     * Whether Sigstore should use public staging {@code sigstage.dev} instead of public default {@code sigstore.dev}.
+     *
+     * @configurationSource {@link RepositorySystemSession#getConfigProperties()}
+     * @configurationType {@link Boolean}
+     * @configurationDefaultValue {@link #DEFAULT_PUBLIC_STAGING}
+     */
+    public static final String CONFIG_PROP_PUBLIC_STAGING = CONFIG_PROPS_PREFIX + "publicStaging";
+
+    public static final boolean DEFAULT_PUBLIC_STAGING = false;
+}

maven-resolver-generator-sigstore/src/main/java/org/eclipse/aether/generator/sigstore/SigstoreSignatureArtifactGenerator.java

@@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.eclipse.aether.generator.sigstore;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
+import java.time.temporal.ChronoUnit;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.function.Predicate;
+
+import dev.sigstore.KeylessSigner;
+import dev.sigstore.KeylessSignerException;
+import dev.sigstore.bundle.Bundle;
+import dev.sigstore.encryption.certificates.Certificates;
+import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.generator.sigstore.internal.FulcioOidHelper;
+import org.eclipse.aether.spi.artifact.generator.ArtifactGenerator;
+import org.eclipse.aether.util.FileUtils;
+import org.eclipse.aether.util.artifact.SubArtifact;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+final class SigstoreSignatureArtifactGenerator implements ArtifactGenerator {
+    private static final String ARTIFACT_EXTENSION = ".sigstore.json";
+    private final Logger logger = LoggerFactory.getLogger(getClass());
+    private final ArrayList<Artifact> artifacts;
+    private final Predicate<Artifact> signableArtifactPredicate;
+    private final boolean publicStaging;
+    private final ArrayList<Path> signatureTempFiles;
+
+    SigstoreSignatureArtifactGenerator(
+            Collection<Artifact> artifacts, Predicate<Artifact> signableArtifactPredicate, boolean publicStaging) {
+        this.artifacts = new ArrayList<>(artifacts);
+        this.signableArtifactPredicate = signableArtifactPredicate;
+        this.publicStaging = publicStaging;
+        this.signatureTempFiles = new ArrayList<>();
+        logger.debug("Created sigstore generator (publicStaging={})", publicStaging);
+    }
+
+    @Override
+    public String generatorId() {
+        return SigstoreSignatureArtifactGeneratorFactory.NAME;
+    }
+
+    @Override
+    public Collection<? extends Artifact> generate(Collection<? extends Artifact> generatedArtifacts) {
+        try {
+            artifacts.addAll(generatedArtifacts);
+
+            // back out if Sigstore signatures found among artifacts
+            if (artifacts.stream().anyMatch(a -> a.getExtension().endsWith(ARTIFACT_EXTENSION))) {
+                logger.debug("Sigstore signatures are present among artifacts, bailing out");
+                return Collections.emptyList();
+            }
+
+            // sign relevant artifacts
+            ArrayList<Artifact> result = new ArrayList<>();
+            try (KeylessSigner signer = publicStaging
+                    ? KeylessSigner.builder().sigstoreStagingDefaults().build()
+                    : KeylessSigner.builder().sigstorePublicDefaults().build()) {
+                for (Artifact artifact : artifacts) {
+                    if (signableArtifactPredicate.test(artifact)) {
+                        Path fileToSign = artifact.getPath();
+                        Path signatureTempFile = Files.createTempFile("signer-sigstore", "tmp");
+                        signatureTempFiles.add(signatureTempFile);
+
+                        logger.debug("Signing " + artifact);
+                        long start = System.currentTimeMillis();
+                        Bundle bundle = signer.signFile(fileToSign);
+
+                        X509Certificate cert = (X509Certificate)
+                                bundle.getCertPath().getCertificates().get(0);
+                        long durationMinutes = Certificates.validity(cert, ChronoUnit.MINUTES);
+
+                        logger.debug("  Fulcio certificate (valid for "
+                                + durationMinutes
+                                + " m) obtained for "
+                                + cert.getSubjectAlternativeNames()
+                                        .iterator()
+                                        .next()
+                                        .get(1)
+                                + " (by "
+                                + FulcioOidHelper.getIssuerV2(cert)
+                                + " IdP)");
+
+                        FileUtils.writeFile(signatureTempFile, p -> Files.writeString(p, bundle.toJson()));
+
+                        long duration = System.currentTimeMillis() - start;
+                        logger.debug("  > Rekor entry "
+                                + bundle.getEntries().get(0).getLogIndex()
+                                + " obtained in "
+                                + duration
+                                + " ms, saved to "
+                                + signatureTempFile);
+
+                        result.add(new SubArtifact(
+                                artifact,
+                                artifact.getClassifier(),
+                                artifact.getExtension() + ARTIFACT_EXTENSION,
+                                signatureTempFile.toFile()));
+                    }
+                }
+            }
+            logger.info("Signed {} artifacts with Sigstore", result.size());
+            return result;
+        } catch (GeneralSecurityException e) {
+            throw new IllegalArgumentException("Preparation problem", e);
+        } catch (KeylessSignerException e) {
+            throw new IllegalStateException("Processing problem", e);
+        } catch (IOException e) {
+            throw new UncheckedIOException("IO problem", e);
+        }
+    }
+
+    @Override
+    public void close() {
+        signatureTempFiles.forEach(p -> {
+            try {
+                Files.deleteIfExists(p);
+            } catch (IOException e) {
+                p.toFile().deleteOnExit();
+            }
+        });
+    }
+}