signatory

Clone Tools
  • last updated a few seconds ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Split the `signing` module

This commit splits the `signing` module into another `security`

project so that we can reuse some code for dependency verification.

It's worth noting that some of the classes had to remain in the `plugins`

package because they were public APIs.

Further effort to split them out may be done later.

    • -0
    • +40
    ./internal/ConfigurableSignatoryProvider.java
    • -94
    • +0
    ./internal/gnupg/GnupgSettings.java
    • -118
    • +0
    ./internal/gnupg/GnupgSignatory.java
    • -71
    • +0
    ./internal/gnupg/GnupgSignatoryFactory.java
    • -33
    • +8
    ./internal/gnupg/GnupgSignatoryProvider.java
    • -85
    • +10
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 61 more files in changeset.
Split the `signing` module

This commit splits the `signing` module into another `security`

project so that we can reuse some code for dependency verification.

It's worth noting that some of the classes had to remain in the `plugins`

package because they were public APIs.

Further effort to split them out may be done later.

    • -0
    • +40
    ./internal/ConfigurableSignatoryProvider.java
    • -94
    • +0
    ./internal/gnupg/GnupgSettings.java
    • -118
    • +0
    ./internal/gnupg/GnupgSignatory.java
    • -71
    • +0
    ./internal/gnupg/GnupgSignatoryFactory.java
    • -33
    • +8
    ./internal/gnupg/GnupgSignatoryProvider.java
    • -85
    • +10
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 61 more files in changeset.
Fix some lgtm alerts

  1. … 11 more files in changeset.
signing plugin: use SHA512 instead of SHA1 when signing artifacts

PGP signs a digest, so MITM is still possible provided an attacker can update

the artifact in such a way that its SHA1 is intact.

Relevant article is https://medium.com/@jonathan.leitschuh/many-of-these-gpg-signatures-are-signed-with-sha-1-which-is-vulnerable-to-a-second-preimage-attack-67104d827930

Signed-off-by: Vladimir Sitnikov <sitnikov.vladimir@gmail.com>

De-incubate signing pre-5.0

    • -2
    • +0
    ./internal/gnupg/GnupgSignatoryProvider.java
  1. … 2 more files in changeset.
Supporting in-memory signing subkeys Issue: #10363

Signed-off-by: Sergey Zhemzhitsky <szhemzhitski@gmail.com>

    • -9
    • +42
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 2 more files in changeset.
Apply `Anonymous type can be replaced with lambda` inspection the whole project

    • -10
    • +5
    ./internal/gnupg/GnupgSignatory.java
  1. … 666 more files in changeset.
Apply `Explicit type can be replaced with <>` inspection the whole project

    • -1
    • +1
    ./internal/gnupg/GnupgSignatoryProvider.java
  1. … 906 more files in changeset.
Organize imports

  1. … 339 more files in changeset.
Replace anonymous classes with lambdas

    • -10
    • +5
    ./internal/gnupg/GnupgSignatory.java
  1. … 711 more files in changeset.
Replace anonymous classes with lambdas

  1. … 695 more files in changeset.
Remove synthetic accessors for internal private symbol references

    • -1
    • +1
    ./internal/gnupg/GnupgSignatoryProvider.java
    • -1
    • +1
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 899 more files in changeset.
Remove synthetic accessors for internal private symbol references

    • -1
    • +1
    ./internal/gnupg/GnupgSignatoryProvider.java
    • -1
    • +1
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 899 more files in changeset.
Remove synthetic accessors for internal private symbol references

    • -1
    • +1
    ./internal/gnupg/GnupgSignatoryProvider.java
    • -1
    • +1
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 887 more files in changeset.
Remove synthetic accessors for internal private symbol references

    • -1
    • +1
    ./internal/gnupg/GnupgSignatoryProvider.java
    • -1
    • +1
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 894 more files in changeset.
Remove synthetic accessors for internal private symbol references

    • -1
    • +1
    ./internal/gnupg/GnupgSignatoryProvider.java
    • -1
    • +1
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 899 more files in changeset.
Remove synthetic accessors for internal private symbol references

    • -1
    • +1
    ./internal/gnupg/GnupgSignatoryProvider.java
    • -1
    • +1
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 899 more files in changeset.
Add missing @Override to all modules

Signed-off-by: Paul Merlin <paul@gradle.com>

  1. … 1005 more files in changeset.
Add missing @Override to all modules

Signed-off-by: Paul Merlin <paul@gradle.com>

  1. … 999 more files in changeset.
WIP

    • -0
    • +103
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 13 more files in changeset.
Introduce SigningExtension.useInMemoryPgpKeys()

This commit adds an alternative signatory provider that works with

ascii-armored in-memory PGP keys instead of keyring files. This is often

easier to setup on CI servers and more secure because there never is a

persistent file that contains the secret key. The user manual is updated

with a sample that demonstrates how to pass key and password using

environment variables.

    • -0
    • +103
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 13 more files in changeset.
Introduce SigningExtension.useInMemoryPgpKeys()

This commit adds an alternative signatory provider that works with

ascii-armored in-memory PGP keys instead of keyring files. This is often

easier to setup on CI servers and more secure because there never is a

persistent file that contains the secret key. The user manual is updated

with a sample that demonstrates how to pass key and password using

environment variables.

    • -0
    • +103
    ./internal/pgp/InMemoryPgpSignatoryProvider.java
  1. … 10 more files in changeset.
spelling: strictly

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

spelling: implementer

Signed-off-by: Josh Soref <jsoref@users.noreply.github.com>

  1. … 10 more files in changeset.
Improve declared inputs and outputs of Sign task

Input and output files are now tracked via the task's `Signatures`. In

addition, the `Signatory` and `SignatureType` are now inputs.

Resolves #7381.

  1. … 6 more files in changeset.
Fix handling of InterruptedExceptions

These exceptions were handled incorrectly throughout the whole

codebase, usually rethrown without restoring the interrupt status

or discarded entirely. This means that the system would not stop

executing even though the user wanted it to. In some cases this

also left the system in an inconsistent state, leading to deadlocks.

The most notable changes include:

- UncheckedException.rethrow automatically restores the interrupt status

- AsyncDispatch is guaranteed to deliver its messages, even when interrupted

- ExecHandle cancels the started process if it is interrupted while waiting

- ExecHandle disconnects from the process' output before killing it

- The worker API cancels the started work items if it is interrupted

- ManagedExecutors shut down immediately if they are interrupted while stopping

- We no longer log exceptions caused by interruption to the console

- Interrupting our caches no longer leaks file locks

  1. … 38 more files in changeset.
Internalize gnupg classes

Signed-off-by: Bo Zhang <bo@gradle.com>

    • -73
    • +0
    ./gnupg/GnupgSignatoryProvider.java
    • -0
    • +96
    ./internal/gnupg/GnupgSettings.java
    • -0
    • +120
    ./internal/gnupg/GnupgSignatory.java
    • -0
    • +73
    ./internal/gnupg/GnupgSignatoryFactory.java
    • -0
    • +73
    ./internal/gnupg/GnupgSignatoryProvider.java
    • -0
    • +20
    ./internal/gnupg/package-info.java
  1. … 2 more files in changeset.
Polish up integration tests for gpg cmd

Signed-off-by: Bo Zhang <bo@gradle.com>

    • -2
    • +17
    ./gnupg/GnupgSignatoryProvider.java
  1. … 9 more files in changeset.
Adds @Incubating and @since

Signed-off-by: Bo Zhang <bo@gradle.com>

Rename Signatory.getInputProperty() to getKeyId()

The new name collides with an already existing method in PgpSignatory

which returned the key in a different format. Since this method was only

used in a two test cases, these have been modified to work with the new

method instead.

  1. … 2 more files in changeset.