You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "hboutemy (via GitHub)" <gi...@apache.org> on 2023/04/12 03:02:26 UTC
[GitHub] [maven-gpg-plugin] hboutemy opened a new pull request, #43: initial test at signing with sigstore
hboutemy opened a new pull request, #43:
URL: https://github.com/apache/maven-gpg-plugin/pull/43
PoC using sigstore-java that does all the heavy sigstore work: https://github.com/sigstore/sigstore-java
- copying `GpgSignAttachedMojo.java` logic to create `SigstoreSignAttachedMojo.java`
- many parts are still missing for plugin configuration to support other sigstore servers than default ones
- not sure at all that maven-gpg-plugin will be the right target location for this feature
- does not work yet for obscure reason:
```
$ mvn clean install
$ mvn -Papache-release clean deploy
...
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:3.1.0-SNAPSHOT:sigstore (sigstore-sign-release-artifacts) on project maven-gpg-plugin:
Error while signing with sigstore: CANCELLED: Failed to read message.
class dev.sigstore.fulcio.v2.CertificateChain tried to access method 'com.google.protobuf.LazyStringArrayList com.google.protobuf.LazyStringArrayList.emptyList()' (dev.sigstore.fulcio.v2.CertificateChain and com.google.protobuf.LazyStringArrayList are in unnamed module of loader org.codehaus.plexus.classworlds.realm.ClassRealm @3eedbc30) -> [Help 1]
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-gpg-plugin] hboutemy commented on pull request #43: initial test at signing with sigstore
Posted by "hboutemy (via GitHub)" <gi...@apache.org>.
hboutemy commented on PR #43:
URL: https://github.com/apache/maven-gpg-plugin/pull/43#issuecomment-1537361726
- avoid .sigstore.asc = GPG signing of sigstore signature: done in maven-gpg-plugin 3.1.0 [MGPG-95](https://issues.apache.org/jira/browse/MGPG-95) (could be coded in plugin's config before...)
- avoid .md5 and .sha1 for .sigstore: done in Maven Resolver 1.9.10 [MRESOLVER-360](https://issues.apache.org/jira/browse/MRESOLVER-360) / Maven 3.9.2, can be configured for eariler Maven releases [3b186f1](https://github.com/apache/maven-gpg-plugin/pull/43/commits/3b186f1e8c3bcfc01fa21cec988de73fced70a5f)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-gpg-plugin] hboutemy commented on pull request #43: initial test at signing with sigstore
Posted by "hboutemy (via GitHub)" <gi...@apache.org>.
hboutemy commented on PR #43:
URL: https://github.com/apache/maven-gpg-plugin/pull/43#issuecomment-1509026313
with the following commit, IT WORKS
thanks to Vladimir Sitnikov for debugging the dependency list:
> `com.google.protobuf:protobuf-java:jar:3.21.9`
> and then
> `com.google.protobuf:protobuf-java-util:jar:3.22.0`
> That’s not gonna fly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [maven-gpg-plugin] hboutemy commented on pull request #43: initial test at signing with sigstore
Posted by "hboutemy (via GitHub)" <gi...@apache.org>.
hboutemy commented on PR #43:
URL: https://github.com/apache/maven-gpg-plugin/pull/43#issuecomment-1512260642
tested today with a multi-module build: currently, each module (having its own classloader) has its own sigstore signature sessions, then an OIDC flow. Not the best UX, but IMHO the 10 minutes timespan is the most important shortcoming issue to solve, that will also solve the multi-module experience
another key aspect to solve is adding sigstore signature verification to [pgpverify-maven-plugin](https://www.simplify4u.org/pgpverify-maven-plugin/) or equivalent. From a UX perspective, filing the keys map (which in sisgstore is not a key id but an OIDC identity) with checked data remains hard...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@maven.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org