Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gpg and sigstore sign publications #602

Merged
merged 1 commit into from
Jan 10, 2024
Merged

gpg and sigstore sign publications #602

merged 1 commit into from
Jan 10, 2024

Conversation

loosebazooka
Copy link
Member

@loosebazooka loosebazooka commented Jan 8, 2024

fyi @vlsi I removed the stage/vote plugin because it seemed a bit heavy weight for what I was looking for. Just simple signing.

In my tests, also these setup signing .sigstore with PGP. I'm not sure what I'm misisng.

build.gradle.kts Outdated
Comment on lines 33 to 35
allprojects {
version = rootProject.version
}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was conditionally adding -SNAPSHOT when building non-release version. I believe we would like to keep building -SNAPSHOT versions by default.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah gotcha. I can fix that.

@vlsi
Copy link
Collaborator

vlsi commented Jan 9, 2024

We explicitly skip signing .asc and .sigstore files in

However, Gradle treats almost everything to be PGP signable, and I doubt there's currently a way to opt-out: https://github.com/gradle/gradle/blob/6cd94ba7c5e1c4672b59b0f6a192f92855fb0043/platforms/software/signing/src/main/java/org/gradle/plugins/signing/Sign.java#L183-L184

@ljacomet , does it mean we should file an issue to Gradle so it could exclude certain files from PGP-signing?


A workaround could be to avoid calling Gradle's sign(Publication) and iterate over allPublishableArtifacts like we do in

and call artifact-based sign(PublishArtifact) after we check it is not a sigstore one.

Another workaround could be removing the unwanted signatures by calling afterEvaluate { Sign.signatures.remove(...) }

@loosebazooka
Copy link
Member Author

I don't mind doing afterEvaluate { Sign.signatures.remove(...) } for this project, for now while we work this out.

@vlsi
Copy link
Collaborator

vlsi commented Jan 9, 2024

Another workaround could be removing the unwanted signatures by calling afterEvaluate { Sign.signatures.remove(...) }

We might factor and ship this as a helper plugin so the users could produce .sigstore without .asc as well.

@loosebazooka
Copy link
Member Author

unfortunately the artifacts don't all to seem be available in the afterEvaluate block. I can only modify the .module and .pom files?

@loosebazooka
Copy link
Member Author

loosebazooka commented Jan 9, 2024

I'm also not sure how to convert PublicationArtifact to PublishArtifact Never mind, I think I misunderstood your suggestion

@loosebazooka
Copy link
Member Author

@vlsi, how about we merge this for now and work on the ignoring .sigstore files in an update?

@loosebazooka loosebazooka merged commit 38e59f4 into main Jan 10, 2024
15 checks passed
@loosebazooka loosebazooka deleted the setup-signing branch January 10, 2024 18:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants