initial test at signing with sigstore

[hboutemy]

PoC using sigstore-java that does all the heavy sigstore work: https://github.com/sigstore/sigstore-java

• copying GpgSignAttachedMojo.java logic to create SigstoreSignAttachedMojo.java (I will probably refactor GpgSignAttachedMojo.java later to make algorithm independant from signature details more visible: extract FilesCollector #45 )
• many parts are still missing for plugin configuration to support other sigstore servers than default ones (currently using hardcoded staging sivgstore env, to avoid polluting production while testing)
• not sure at all that maven-gpg-plugin will be the right target location for this feature: we'll need to think about it
• I don't know how to create integration tests, given sigstore workflow requires user interaction for authentication
• going step by step on the scope of signature:
  • signing multiple artifacts in one module should be a breeze
  • signing multiple modules will require to check that signature session is reused
  • signing a huge build that spans more than the 10 minutes of a signature session will probably require another strategy to avoid re-authentication process
• basic code does not work yet for obscure reason:

$ mvn clean install

$ mvn -Papache-release clean deploy -DaltDeploymentRepository=local::default::file:./target/staging-deploy
...
[ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:3.1.0-SNAPSHOT:sigstore (sigstore-sign-release-artifacts) on project maven-gpg-plugin:
   Error while signing with sigstore: CANCELLED: Failed to read message.
   class dev.sigstore.fulcio.v2.CertificateChain tried to access method 'com.google.protobuf.LazyStringArrayList com.google.protobuf.LazyStringArrayList.emptyList()' (dev.sigstore.fulcio.v2.CertificateChain and com.google.protobuf.LazyStringArrayList are in unnamed module of loader org.codehaus.plexus.classworlds.realm.ClassRealm @3eedbc30) -> [Help 1]

[hboutemy]

with the following commit, IT WORKS
thanks to Vladimir Sitnikov for debugging the dependency list:

com.google.protobuf:protobuf-java:jar:3.21.9
and then
com.google.protobuf:protobuf-java-util:jar:3.22.0
That’s not gonna fly.

adding one additional shortcoming to solve: we need o avoid .sigstore.md5 and .sigstore.sha1 files creation...

[hboutemy]

tested today with a multi-module build: currently, each module (having its own classloader) has its own sigstore signature sessions, then an OIDC flow. Not the best UX, but IMHO the 10 minutes timespan is the most important shortcoming issue to solve, that will also solve the multi-module experience

another key aspect to solve is adding sigstore signature verification to pgpverify-maven-plugin or equivalent. From a UX perspective, filing the keys map (which in sisgstore is not a key id but an OIDC identity) with checked data remains hard...

[hboutemy]

• avoid .sigstore.asc = GPG signing of sigstore signature: done in maven-gpg-plugin 3.1.0 MGPG-95 (could be coded in plugin's config before...)
• avoid .md5 and .sha1 for .sigstore: done in Maven Resolver 1.9.10 MRESOLVER-360 / Maven 3.9.2, can be configured for eariler Maven releases 3b186f1

remaining known limitation: OIDC auth required on each module, even when plugin put as extension
(and of course, this is not yet beyond the 10 minutes signing session time)

[cstamas]

@hboutemy can this PR be removed? Is this still valid?

[cstamas]

@hboutemy ping ^