[MRESOLVER-599] Sigstore Artifact Generator (#573)

This is similar to Gpg Artifact Generator, signs installed/deployed artifacts as "batch" at Resolver level. This, combined with "deployAtEnd" means all deployed artifacts are signed in one go, no need OIDC auth per module and 10 minute window may process more (as all artifacts are present when "deployAtend"). Still, the loop may need more, as if many artifacts being deployed, can the 10 minute window still be broken? --- https://issues.apache.org/jira/browse/MRESOLVER-599
apache · Oct 12, 2024 · 7b9214f · 7b9214f
1 parent 0b163cd
commit 7b9214f
Show file tree

Hide file tree

Showing 11 changed files with 789 additions and 91 deletions.
diff --git a/maven-resolver-generator-gnupg/pom.xml b/maven-resolver-generator-gnupg/pom.xml
@@ -33,7 +33,6 @@
 
   <properties>
     <javaVersion>17</javaVersion>
-    <bouncycastleVersion>1.78.1</bouncycastleVersion>
   </properties>
 
   <dependencies>
@@ -69,17 +68,14 @@
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcpg-jdk18on</artifactId>
-      <version>${bouncycastleVersion}</version>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcprov-jdk18on</artifactId>
-      <version>${bouncycastleVersion}</version>
     </dependency>
     <dependency>
       <groupId>org.bouncycastle</groupId>
       <artifactId>bcutil-jdk18on</artifactId>
-      <version>${bouncycastleVersion}</version>
     </dependency>
 
     <dependency>

diff --git a/maven-resolver-generator-sigstore/pom.xml b/maven-resolver-generator-sigstore/pom.xml
@@ -0,0 +1,127 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one
+  or more contributor license agreements.  See the NOTICE file
+  distributed with this work for additional information
+  regarding copyright ownership.  The ASF licenses this file
+  to you under the Apache License, Version 2.0 (the
+  "License"); you may not use this file except in compliance
+  with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing,
+  software distributed under the License is distributed on an
+  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+  KIND, either express or implied.  See the License for the
+  specific language governing permissions and limitations
+  under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <parent>
+    <groupId>org.apache.maven.resolver</groupId>
+    <artifactId>maven-resolver</artifactId>
+    <version>2.0.2-SNAPSHOT</version>
+  </parent>
+
+  <artifactId>maven-resolver-generator-sigstore</artifactId>
+
+  <name>Maven Artifact Resolver Sigstore Signer Generator</name>
+  <description>A generator implementation for Sigstore signatures.</description>
+
+  <properties>
+    <javaVersion>17</javaVersion>
+    <sigstoreVersion>1.0.0</sigstoreVersion>
+  </properties>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-spi</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-util</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-api</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>javax.inject</groupId>
+      <artifactId>javax.inject</artifactId>
+      <scope>provided</scope>
+      <optional>true</optional>
+    </dependency>
+    <dependency>
+      <groupId>org.eclipse.sisu</groupId>
+      <artifactId>org.eclipse.sisu.inject</artifactId>
+      <scope>provided</scope>
+      <optional>true</optional>
+    </dependency>
+
+    <dependency>
+      <groupId>dev.sigstore</groupId>
+      <artifactId>sigstore-java</artifactId>
+      <version>${sigstoreVersion}</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcpg-jdk18on</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcprov-jdk18on</artifactId>
+    </dependency>
+    <dependency>
+      <groupId>org.bouncycastle</groupId>
+      <artifactId>bcutil-jdk18on</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.junit.jupiter</groupId>
+      <artifactId>junit-jupiter-api</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-test-util</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.slf4j</groupId>
+      <artifactId>slf4j-simple</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.mockito</groupId>
+      <artifactId>mockito-core</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.rat</groupId>
+        <artifactId>apache-rat-plugin</artifactId>
+        <configuration>
+          <excludes combine.children="append">
+            <exclude>src/test/resources/gpg-signing/**</exclude>
+          </excludes>
+        </configuration>
+      </plugin>
+      <plugin>
+        <groupId>org.eclipse.sisu</groupId>
+        <artifactId>sisu-maven-plugin</artifactId>
+      </plugin>
+    </plugins>
+  </build>
+</project>
diff --git a/...gstore/src/main/java/org/eclipse/aether/generator/sigstore/SigstoreConfigurationKeys.java b/...gstore/src/main/java/org/eclipse/aether/generator/sigstore/SigstoreConfigurationKeys.java
@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.eclipse.aether.generator.sigstore;
+
+import org.eclipse.aether.ConfigurationProperties;
+import org.eclipse.aether.RepositorySystemSession;
+
+/**
+ * Configuration for Sigstore Signer.
+ *
+ * @since 2.0.2
+ */
+public final class SigstoreConfigurationKeys {
+    private SigstoreConfigurationKeys() {}
+
+    static final String NAME = "sigstore";
+
+    static final String CONFIG_PROPS_PREFIX = ConfigurationProperties.PREFIX_GENERATOR + NAME + ".";
+
+    /**
+     * Whether Sigstore signer is enabled.
+     *
+     * @configurationSource {@link RepositorySystemSession#getConfigProperties()}
+     * @configurationType {@link Boolean}
+     * @configurationDefaultValue {@link #DEFAULT_ENABLED}
+     */
+    public static final String CONFIG_PROP_ENABLED = CONFIG_PROPS_PREFIX + "enabled";
+
+    public static final boolean DEFAULT_ENABLED = false;
+
+    /**
+     * Whether Sigstore should use public staging {@code sigstage.dev} instead of public default {@code sigstore.dev}.
+     *
+     * @configurationSource {@link RepositorySystemSession#getConfigProperties()}
+     * @configurationType {@link Boolean}
+     * @configurationDefaultValue {@link #DEFAULT_PUBLIC_STAGING}
+     */
+    public static final String CONFIG_PROP_PUBLIC_STAGING = CONFIG_PROPS_PREFIX + "publicStaging";
+
+    public static final boolean DEFAULT_PUBLIC_STAGING = false;
+}
diff --git a/...c/main/java/org/eclipse/aether/generator/sigstore/SigstoreSignatureArtifactGenerator.java b/...c/main/java/org/eclipse/aether/generator/sigstore/SigstoreSignatureArtifactGenerator.java
@@ -0,0 +1,147 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.eclipse.aether.generator.sigstore;
+
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.GeneralSecurityException;
+import java.security.cert.X509Certificate;
+import java.time.temporal.ChronoUnit;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.function.Predicate;
+
+import dev.sigstore.KeylessSigner;
+import dev.sigstore.KeylessSignerException;
+import dev.sigstore.bundle.Bundle;
+import dev.sigstore.encryption.certificates.Certificates;
+import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.generator.sigstore.internal.FulcioOidHelper;
+import org.eclipse.aether.spi.artifact.generator.ArtifactGenerator;
+import org.eclipse.aether.util.FileUtils;
+import org.eclipse.aether.util.artifact.SubArtifact;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+final class SigstoreSignatureArtifactGenerator implements ArtifactGenerator {
+    private static final String ARTIFACT_EXTENSION = ".sigstore.json";
+    private final Logger logger = LoggerFactory.getLogger(getClass());
+    private final ArrayList<Artifact> artifacts;
+    private final Predicate<Artifact> signableArtifactPredicate;
+    private final boolean publicStaging;
+    private final ArrayList<Path> signatureTempFiles;
+
+    SigstoreSignatureArtifactGenerator(
+            Collection<Artifact> artifacts, Predicate<Artifact> signableArtifactPredicate, boolean publicStaging) {
+        this.artifacts = new ArrayList<>(artifacts);
+        this.signableArtifactPredicate = signableArtifactPredicate;
+        this.publicStaging = publicStaging;
+        this.signatureTempFiles = new ArrayList<>();
+        logger.debug("Created sigstore generator (publicStaging={})", publicStaging);
+    }
+
+    @Override
+    public String generatorId() {
+        return SigstoreSignatureArtifactGeneratorFactory.NAME;
+    }
+
+    @Override
+    public Collection<? extends Artifact> generate(Collection<? extends Artifact> generatedArtifacts) {
+        try {
+            artifacts.addAll(generatedArtifacts);
+
+            // back out if Sigstore signatures found among artifacts
+            if (artifacts.stream().anyMatch(a -> a.getExtension().endsWith(ARTIFACT_EXTENSION))) {
+                logger.debug("Sigstore signatures are present among artifacts, bailing out");
+                return Collections.emptyList();
+            }
+
+            // sign relevant artifacts
+            ArrayList<Artifact> result = new ArrayList<>();
+            try (KeylessSigner signer = publicStaging
+                    ? KeylessSigner.builder().sigstoreStagingDefaults().build()
+                    : KeylessSigner.builder().sigstorePublicDefaults().build()) {
+                for (Artifact artifact : artifacts) {
+                    if (signableArtifactPredicate.test(artifact)) {
+                        Path fileToSign = artifact.getPath();
+                        Path signatureTempFile = Files.createTempFile("signer-sigstore", "tmp");
+                        signatureTempFiles.add(signatureTempFile);
+
+                        logger.debug("Signing " + artifact);
+                        long start = System.currentTimeMillis();
+                        Bundle bundle = signer.signFile(fileToSign);
+
+                        X509Certificate cert = (X509Certificate)
+                                bundle.getCertPath().getCertificates().get(0);
+                        long durationMinutes = Certificates.validity(cert, ChronoUnit.MINUTES);
+
+                        logger.debug("  Fulcio certificate (valid for "
+                                + durationMinutes
+                                + " m) obtained for "
+                                + cert.getSubjectAlternativeNames()
+                                        .iterator()
+                                        .next()
+                                        .get(1)
+                                + " (by "
+                                + FulcioOidHelper.getIssuerV2(cert)
+                                + " IdP)");
+
+                        FileUtils.writeFile(signatureTempFile, p -> Files.writeString(p, bundle.toJson()));
+
+                        long duration = System.currentTimeMillis() - start;
+                        logger.debug("  > Rekor entry "
+                                + bundle.getEntries().get(0).getLogIndex()
+                                + " obtained in "
+                                + duration
+                                + " ms, saved to "
+                                + signatureTempFile);
+
+                        result.add(new SubArtifact(
+                                artifact,
+                                artifact.getClassifier(),
+                                artifact.getExtension() + ARTIFACT_EXTENSION,
+                                signatureTempFile.toFile()));
+                    }
+                }
+            }
+            logger.info("Signed {} artifacts with Sigstore", result.size());
+            return result;
+        } catch (GeneralSecurityException e) {
+            throw new IllegalArgumentException("Preparation problem", e);
+        } catch (KeylessSignerException e) {
+            throw new IllegalStateException("Processing problem", e);
+        } catch (IOException e) {
+            throw new UncheckedIOException("IO problem", e);
+        }
+    }
+
+    @Override
+    public void close() {
+        signatureTempFiles.forEach(p -> {
+            try {
+                Files.deleteIfExists(p);
+            } catch (IOException e) {
+                p.toFile().deleteOnExit();
+            }
+        });
+    }
+}