Fix #203 : assemble-maven-repository should include PGP signatures in the P2 site (#228)

laeubi · web-flow · commit 1f94567eed48 · 2021-08-21T10:32:59.000+02:00
* Fix #203 : assemble-maven-repository should include PGP signatures in the P2 site Signed-off-by: Christoph Läubrich <laeubi@laeubi-soft.de>
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -4,6 +4,10 @@ This page describes the noteworthy improvements provided by each release of Ecli
 
 ## Next release...
 
+### [Support for PGP Signatures in maven-p2 sites](https://github.com/eclipse/tycho/issues/203)
+
+The `assemble-maven-repository` mojo now supports embedding the PGP signature of maven artifacts to allow additional verifications and trust decisions.
+
 ### Support for new m2e-pde features
 
 Tycho supports the new m2e-pde features regarding [multiple dependencies per target](https://github.com/eclipse-m2e/m2e-core/blob/master/RELEASE_NOTES.md#the-m2e-pde-editor-now-supports-adding-more-than-one-dependency-per-target-location) and specifying [extra repositories in the target](https://github.com/eclipse-m2e/m2e-core/blob/master/RELEASE_NOTES.md#the-m2e-pde-editor-now-supports-adding-additional-maven-repoistories-for-a-target-location).
@@ -46,18 +50,18 @@ From now on this restriction is no longer true and one is able to execute unit-t
 Tycho also includes a new tycho-failsafe mojo, that is similar to the maven one:
  - it executes at the integration-test phase but do not fail the build if a test fails, instead a summary file is written
  - the outcome of the tests are checked in the verify phase (and fail the build there if neccesary)
- - this allows to hook some setup/teardown mojos (e.g. start webservers, ...) in the pre-integration-test phase and to safly tear them down in the post-integration test phase (thus the name 'failsafe' see [tycho-failsafe-faq](https://maven.apache.org/surefire/maven-failsafe-plugin/faq.html) for some more details
+ - this allows to hook some setup/teardown mojos (e.g. start webservers, ...) in the pre-integration-test phase and to safely tear them down in the post-integration test phase (thus the name 'failsafe' see [tycho-failsafe-faq](https://maven.apache.org/surefire/maven-failsafe-plugin/faq.html) for some more details
 
 Given you have the above setup you create an integration-test (executed in an OSGi runtime like traditional tycho-surefire mojo) as following:
 
 - create a new test that mathes the pattern `*IT.java` (or configure a different pattern that do not intersects with the surefire test pattern)
 - run your it with `mvn verify`
 
-:warning: If you where previously using `-Dtest=....` on the root level of your build tree it might now be neccesary to also include `-Dsurefire.failIfNoSpecifiedTests=false` as maven-surefire might otherwhise complain about 
+:warning: If you where previously using `-Dtest=....` on the root level of your build tree it might now be necessary to also include `-Dsurefire.failIfNoSpecifiedTests=false` as maven-surefire might otherwise complain about 
 
 > No tests were executed! (Set -DfailIfNoTests=false to ignore this error.)
 
-for your eclipse-plugin packaged project if they do not match anything (the error message is a bit missleading, thsi is tracked in [SUREFIRE-1910](https://issues.apache.org/jira/browse/SUREFIRE-1910)).
+for your eclipse-plugin packaged project if they do not match anything (the error message is a bit misleading, this is tracked in [SUREFIRE-1910](https://issues.apache.org/jira/browse/SUREFIRE-1910)).
 
 
 ### [Enhanced support for debug output in surefire-tests](https://github.com/eclipse/tycho/issues/52) 
@@ -88,7 +92,7 @@ Tycho now understands the `additional.bundles` directive in the `build.propertie
 
 ### Create p2 repository referencing Maven artifacts
 
-A new mojo [tycho-p2-repository-plugin:assemble-maven-repository](https://www.eclipse.org/tycho/sitedocs/tycho-p2-repository-plugin/assemble-maven-repository.html) was added to enable creation of p2 repositories directly from Maven artifact references. This removes the usual need to create a target definition and a category.xml for this task.
+A new mojo [tycho-p2-repository-plugin:assemble-maven-repository](https://www.eclipse.org/tycho/sitedocs/tycho-p2/tycho-p2-repository-plugin/assemble-maven-repository-mojo.html) was added to enable creation of p2 repositories directly from Maven artifact references. This removes the usual need to create a target definition and a category.xml for this task.
 
 ### [Skip Tycho dependency-resolution for clean-only builds by default](https://github.com/eclipse/tycho/issues/166)
 
diff --git a/tycho-bundles/org.eclipse.tycho.p2.tools.impl/src/main/java/org/eclipse/tycho/p2/tools/publisher/PGPSignatureAdvice.java b/tycho-bundles/org.eclipse.tycho.p2.tools.impl/src/main/java/org/eclipse/tycho/p2/tools/publisher/PGPSignatureAdvice.java
@@ -0,0 +1,68 @@
+/*******************************************************************************
+ * Copyright (c) 2021 Christoph Läubrich and others.
+ * This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License 2.0
+ * which accompanies this distribution, and is available at
+ * https://www.eclipse.org/legal/epl-2.0/
+ *
+ * SPDX-License-Identifier: EPL-2.0
+ *
+ * Contributors:
+ *     Christoph Läubrich - initial API and implementation
+ *******************************************************************************/
+package org.eclipse.tycho.p2.tools.publisher;
+
+import java.util.Map;
+
+import org.eclipse.equinox.p2.metadata.IInstallableUnit;
+import org.eclipse.equinox.p2.metadata.MetadataFactory.InstallableUnitDescription;
+import org.eclipse.equinox.p2.metadata.Version;
+import org.eclipse.equinox.p2.publisher.AbstractAdvice;
+import org.eclipse.equinox.p2.publisher.actions.IPropertyAdvice;
+import org.eclipse.equinox.p2.repository.artifact.IArtifactDescriptor;
+import org.eclipse.equinox.p2.repository.artifact.spi.ArtifactDescriptor;
+
+@SuppressWarnings("restriction")
+public class PGPSignatureAdvice extends AbstractAdvice implements IPropertyAdvice {
+    private final String id;
+    private final Version version;
+    private final String signature;
+
+    public PGPSignatureAdvice(String id, Version version, String signature) {
+        this.id = id;
+        this.version = version;
+        this.signature = signature;
+    }
+
+    @Override
+    protected String getId() {
+        return id;
+    }
+
+    @Override
+    protected Version getVersion() {
+        return version;
+    }
+
+    @Override
+    public Map<String, String> getInstallableUnitProperties(InstallableUnitDescription iu) {
+        return null;
+    }
+
+    @Override
+    public boolean isApplicable(String configSpec, boolean includeDefault, String candidateId,
+            Version candidateVersion) {
+        return id.equals(candidateId) && version.equals(candidateVersion);
+    }
+
+    @Override
+    public Map<String, String> getArtifactProperties(IInstallableUnit iu, IArtifactDescriptor descriptor) {
+        // workaround Bug 539672
+        if (descriptor instanceof ArtifactDescriptor) {
+            ArtifactDescriptor artifactDescriptor = (ArtifactDescriptor) descriptor;
+            artifactDescriptor.setProperty("pgp.signatures", signature);
+        }
+        return null;
+    }
+
+}
diff --git a/tycho-bundles/org.eclipse.tycho.p2.tools.impl/src/main/java/org/eclipse/tycho/p2/tools/publisher/TychoFeaturesAndBundlesPublisherApplication.java b/tycho-bundles/org.eclipse.tycho.p2.tools.impl/src/main/java/org/eclipse/tycho/p2/tools/publisher/TychoFeaturesAndBundlesPublisherApplication.java
@@ -58,8 +58,10 @@ public class TychoFeaturesAndBundlesPublisherApplication extends AbstractPublish
     private static final String MAVEN_PREFIX = "maven-";
     private BundleDescription[] bundles;
     private File[] advices;
+    private String[] signatures;
     private URI categoryDefinition;
     private String[] rules;
+    private String publicKeys;
 
     @Override
     public Object run(PublisherInfo publisherInfo) throws Exception {
@@ -75,6 +77,9 @@ public Object run(PublisherInfo publisherInfo) throws Exception {
                 SimpleArtifactRepository repo = (SimpleArtifactRepository) repoFactory.load(artifactLocation,
                         IRepositoryManager.REPOSITORY_HINT_MODIFIABLE, null);
                 repo.setRules(newRules);
+                if (publicKeys != null) {
+                    repo.setProperty("pgp.publicKeys", publicKeys);
+                }
                 repo.save();
             }
         }
@@ -85,41 +90,49 @@ public Object run(PublisherInfo publisherInfo) throws Exception {
     protected void processParameter(String arg, String parameter, PublisherInfo publisherInfo)
             throws URISyntaxException {
         super.processParameter(arg, parameter, publisherInfo);
+
         if (arg.equalsIgnoreCase("-bundles")) {
-            bundles = Arrays.stream(AbstractPublisherAction.getArrayFromString(parameter, ",")).map(File::new)
-                    .map(t -> {
-                        try {
-                            return BundlesAction.createBundleDescription(t);
-                        } catch (IOException | BundleException e) {
-                            //ignoring files that are "not bundles" they will be skipped on the later steps
-                            return null;
-                        }
-                    }).toArray(BundleDescription[]::new);
-        }
-        if (arg.equalsIgnoreCase("-bundlesFile")) {
             bundles = Arrays.stream(getArrayFromFile(parameter)).map(File::new).map(t -> {
                 try {
                     return BundlesAction.createBundleDescription(t);
                 } catch (IOException | BundleException e) {
                     //ignoring files that are "not bundles" they will be skipped on the later steps
+                    System.out.println("Ignore " + t.getName() + " as it is not a bundle!");
                     return null;
                 }
             }).toArray(BundleDescription[]::new);
         }
         if (arg.equalsIgnoreCase("-advices")) {
-            advices = Arrays.stream(AbstractPublisherAction.getArrayFromString(parameter, ","))
-                    .map(str -> str.isBlank() ? null : new File(str)).toArray(File[]::new);
-        }
-        if (arg.equalsIgnoreCase("-advicesFile")) {
             advices = Arrays.stream(getArrayFromFile(parameter)).map(str -> str.isBlank() ? null : new File(str))
                     .toArray(File[]::new);
         }
+        if (arg.equalsIgnoreCase("-signatures")) {
+            signatures = Arrays.stream(getArrayFromFile(parameter)).map(str -> str.isBlank() ? null : new File(str))
+                    .map(file -> {
+                        if (file == null) {
+                            return null;
+                        }
+                        try {
+                            return FileUtils.readFileToString(file, StandardCharsets.US_ASCII);
+                        } catch (IOException e) {
+                            // skip unreadable files...
+                            return null;
+                        }
+                    }).toArray(String[]::new);
+        }
         if (arg.equalsIgnoreCase("-categoryDefinition")) {
             categoryDefinition = URIUtil.fromString(parameter);
         }
         if (arg.equalsIgnoreCase("-rules")) {
             rules = AbstractPublisherAction.getArrayFromString(parameter, ",");
         }
+        if (arg.equalsIgnoreCase("-publicKeys")) {
+            try {
+                publicKeys = FileUtils.readFileToString(new File(parameter), StandardCharsets.US_ASCII);
+            } catch (IOException e) {
+                throw new URISyntaxException(parameter, "can't read public key file: " + e);
+            }
+        }
     }
 
     private String[] getArrayFromFile(String parameter) {
@@ -139,7 +152,7 @@ protected IPublisherAction[] createActions() {
             for (int i = 0; i < advices.length; i++) {
                 File adviceFile = advices[i];
                 BundleDescription bundleDescription;
-                if (i >= bundles.length - 1 || (bundleDescription = bundles[i]) == null) {
+                if (i >= bundles.length || (bundleDescription = bundles[i]) == null) {
                     continue;
                 }
                 String symbolicName = bundleDescription.getSymbolicName();
@@ -194,6 +207,28 @@ public Map<String, String> getInstallableUnitProperties(InstallableUnitDescripti
                 result.add(new AdviceFilePublisherAction(advicesList));
             }
         }
+        if (signatures != null) {
+            List<PGPSignatureAdvice> signaturesList = new ArrayList<>();
+            for (int i = 0; i < signatures.length; i++) {
+                String signature = signatures[i];
+                if (signature == null) {
+                    //no signature...
+                    continue;
+                }
+                BundleDescription bundleDescription;
+                if (i >= bundles.length || (bundleDescription = bundles[i]) == null) {
+                    continue;
+                }
+                String symbolicName = bundleDescription.getSymbolicName();
+                if (symbolicName == null) {
+                    //not a bundle... no signature...
+                    continue;
+                }
+                signaturesList.add(new PGPSignatureAdvice(symbolicName,
+                        PublisherHelper.fromOSGiVersion(bundleDescription.getVersion()), signature));
+            }
+            result.add(new SignaturePublisherAction(signaturesList));
+        }
         if (bundles != null) {
             result.add(new BundlesAction(bundles));
         }
@@ -203,6 +238,24 @@ public Map<String, String> getInstallableUnitProperties(InstallableUnitDescripti
         return result.toArray(IPublisherAction[]::new);
     }
 
+    private static final class SignaturePublisherAction extends AbstractPublisherAction {
+
+        private List<PGPSignatureAdvice> signaturesList;
+
+        public SignaturePublisherAction(List<PGPSignatureAdvice> signaturesList) {
+            this.signaturesList = signaturesList;
+        }
+
+        @Override
+        public IStatus perform(IPublisherInfo publisherInfo, IPublisherResult results, IProgressMonitor monitor) {
+            for (PGPSignatureAdvice signature : signaturesList) {
+                publisherInfo.addAdvice(signature);
+            }
+            return Status.OK_STATUS;
+        }
+
+    }
+
     private static final class AdviceFilePublisherAction extends AbstractPublisherAction {
 
         private List<AdviceFileAdvice> advicesList;
diff --git a/tycho-its/projects/p2mavensite.pgp/pom.xml b/tycho-its/projects/p2mavensite.pgp/pom.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+	<modelVersion>4.0.0</modelVersion>
+	<groupId>org.eclipse.tycho.it</groupId>
+	<artifactId>issue-203-parent</artifactId>
+	<version>1.0.0</version>
+	<packaging>pom</packaging>
+	<properties>
+		<tycho-version>2.5.0-SNAPSHOT</tycho-version>
+	</properties>
+	<modules>
+		<module>site</module>
+	</modules>
+</project>
diff --git a/tycho-its/projects/p2mavensite.pgp/site/pom.xml b/tycho-its/projects/p2mavensite.pgp/site/pom.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project>
+
+	<parent>
+		<groupId>org.eclipse.tycho.it</groupId>
+		<artifactId>issue-203-parent</artifactId>
+		<version>1.0.0</version>
+	</parent>
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>pgp-site</artifactId>
+	<packaging>pom</packaging>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.eclipse.tycho</groupId>
+				<artifactId>tycho-p2-repository-plugin</artifactId>
+				<version>${tycho-version}</version>
+				<executions>
+					<execution>
+						<configuration>
+							<categoryName>PGP Site</categoryName>
+							<includeDependencies>true</includeDependencies>
+							<includePGPSignature>true</includePGPSignature>
+						</configuration>
+						<id>maven-p2-site</id>
+						<phase>package</phase>
+						<goals>
+							<goal>assemble-maven-repository</goal>
+						</goals>
+					</execution>
+					<execution>
+						<id></id>
+						<phase>verify</phase>
+						<goals>
+							<goal>verify-repository</goal>
+						</goals>
+						<inherited>false</inherited>
+						<configuration>
+						</configuration>
+					</execution>
+				</executions>
+			</plugin>
+		</plugins>
+	</build>
+
+	<dependencies>
+		<dependency>
+			<groupId>org.apache.commons</groupId>
+			<artifactId>commons-numbers-core</artifactId>
+			<version>1.0-beta1</version>
+		</dependency>
+	</dependencies>
+
+</project>
diff --git a/tycho-its/src/test/java/org/eclipse/tycho/test/p2Repository/MavenP2SiteTest.java b/tycho-its/src/test/java/org/eclipse/tycho/test/p2Repository/MavenP2SiteTest.java
@@ -33,9 +33,7 @@ public void testProduceConsume() throws Exception {
             Verifier verifier = getVerifier("p2mavensite/producer", false);
             verifier.executeGoals(asList("clean", "install"));
             verifier.verifyErrorFreeLog();
-            assertTrue(new File(verifier.getBasedir(), "target/repository/artifacts.xml").exists());
-            assertTrue(new File(verifier.getBasedir(), "target/repository/content.xml").exists());
-            assertTrue(new File(verifier.getBasedir(), "target/p2-site.zip").exists());
+            verifyRepositoryExits(verifier, "");
         }
         { // consumer
             Verifier verifier = getVerifier("p2mavensite/consumer", false);
@@ -49,10 +47,29 @@ public void testDeployIgnore() throws Exception {
         Verifier verifier = getVerifier("p2mavensite.reactor", false);
         verifier.executeGoals(asList("install"));
         verifier.verifyErrorFreeLog();
+        verifyRepositoryExits(verifier, "site/");
         String artifacts = FileUtils
                 .readFileToString(new File(verifier.getBasedir(), "site/target/repository/artifacts.xml"), "UTF-8");
         assertTrue("artifact to deploy is missing", artifacts.contains("id='org.eclipse.tycho.it.deployme'"));
         assertFalse("artifact is deployed but should't", artifacts.contains("id='org.eclipse.tycho.it.ignoreme'"));
-        assertFalse("artifact is deployed but should't", artifacts.contains("id='org.eclipse.tycho.it.ignoreme-property'"));
+        assertFalse("artifact is deployed but should't",
+                artifacts.contains("id='org.eclipse.tycho.it.ignoreme-property'"));
+    }
+
+    @Test
+    public void testPGP() throws Exception {
+        Verifier verifier = getVerifier("p2mavensite.pgp", false);
+        verifier.executeGoals(asList("clean", "install"));
+        verifier.verifyErrorFreeLog();
+        verifyRepositoryExits(verifier, "site/");
+    }
+
+    protected void verifyRepositoryExits(Verifier verifier, String subdir) {
+        File artifacts = new File(verifier.getBasedir(), subdir + "target/repository/artifacts.xml");
+        assertTrue(artifacts.getAbsolutePath() + " is missing", artifacts.exists());
+        File content = new File(verifier.getBasedir(), subdir + "target/repository/content.xml");
+        assertTrue(content.getAbsolutePath() + " is missing", content.exists());
+        File site = new File(verifier.getBasedir(), subdir + "target/p2-site.zip");
+        assertTrue(site.getAbsolutePath() + " is missing", site.exists());
     }
 }
diff --git a/tycho-p2/tycho-p2-repository-plugin/pom.xml b/tycho-p2/tycho-p2-repository-plugin/pom.xml
@@ -45,6 +45,11 @@
 			<artifactId>sisu-equinox-launching</artifactId>
 			<version>${project.version}</version>
 		</dependency>
+		<dependency>
+			<groupId>org.bouncycastle</groupId>
+			<artifactId>bcpg-jdk16</artifactId>
+			<version>1.46</version>
+		</dependency>
 	</dependencies>
 
 </project>
diff --git a/tycho-p2/tycho-p2-repository-plugin/src/main/java/org/eclipse/tycho/plugins/p2/repository/MavenP2SiteMojo.java b/tycho-p2/tycho-p2-repository-plugin/src/main/java/org/eclipse/tycho/plugins/p2/repository/MavenP2SiteMojo.java
