[MRESOLVER-301] Artifact generators SPI and GnuPG signature generator

[cstamas]

Artifact generators and one implementation: GnuPG Signer.

The "signer" generator is simple module for signing artifacts with GnuPG Signer.

---

https://issues.apache.org/jira/browse/MRESOLVER-301

[slawekjaranowski]

At first time looks a complicated a bit.

I can test it in next weekend - I need more time for it.

first questions:

• What is difference about gpg singnature and md5, sha checksums - why not use the same same existing implementation - we simply want generate a checksum or signature

• What future will be for m-gpg-p when we move generating of signatures to resolver and finaly to Maven core ... yes I see that it is a extension but ...

By the way I think we should discuss such (for me big) architecture change on ML.

[cstamas]

Q1: checksums: they are tightly coupled into "basic connector". Historically, "connector" was the transport abstraction, but later "connector + transport" was introduced, and connector deals with checksums ONLY. Original issue was "deal with signatures as with checksums" but this is a no-go, as connector is (theoretically) swappable, while true, we have only "basic" connector and no other implementation. IMHO, we should eventually remove the abstraction from connector and accept that "basic" is THE connector we use.
Q2: First, it is an extension, yes. Second, I see no problem with resolver signing, as to me, it seems like "natural fit". If you think about, signer plugins usually do something and "attach" the result. Am fine with both, and as far I am concerned, the two can coexists even (maybe add some logic to signer to remain dormant if signatures discovered).

[cstamas]

Also, "artifact generator" is one thing, and its use for "signing" is another.

If we remain at "publishing to Central" domain, where PGP signature is enforced, and signing, I am not satisfied with any of existing solutions:

• maven-sign-plugin uses gpg executable
• takari-sign-plugin cannot do ED25519 (but have cool ideas)
• s4u sign plugin unused in ASF (but have cool ideas)

So I just "brought" the best of all here. At least, that was my intent. And yes, IMO, "signing" is natural fit for "artifact generator" and IMO we should not complicate our build/POMs for something that is an expected requirement (is like we'd need to add a plugin to POM to create checksums, something also required to publish to Central).

Also, "signer" is extensible, so it does not have to get GnuPG, it could be something else as well... so in this way, it is not in Maven Core (wired in), but can progress and change, maybe as an extension.

[michael-o]

I don't have any opinion and cannot object.

[michael-o]

I'll leave the decision to others.

[cstamas]

By the way I think we should discuss such (for me big) architecture change on ML.

@slawekjaranowski this is not "big architectural change" at all, just another option. I modified current PR to:

• enabled GnuPG signer step back, if signatures detected among deployable artifacts (ie bui;d uses plugin that produces .asc signatures)
• by default signer is disabled (even if present as extension)

[gnodet]

Mostly coding style issues

[gnodet]

Why not public instead of final with a public constructor and protected fields ? Why would not people be allowed to extend it ?

[gnodet]

Is the final keyword needed ?

[gnodet]

Same here

[gnodet]

Same...

[gnodet]

protected ?

[gnodet]

I don't see how final is useful. The static analysis very well knows if a variable is final or not.

[cstamas]

Fixed

[gnodet]

Once again ?

[cstamas]

Fixed

[cstamas]

For other a general answer: I do agree with all your comments, but

• Resolver whole codebase is done as this, and we may want to change all these, but for now there are a lot of package protected and final classes, I did not want to disturb this coherence. But I do agree about non-final/public/protected fields.
• BUT, extending JSR330 annotated component is a no-no (hence final)
• I like how these classes are being prevented to be tampered with. If someone needs this, can copy, but I don't want to be hindered a year after, as somecome tells me I broke "compatibility" with his app (where he uses or extends these classes).

So, yes, I agree, but this is why not IMO.

[cstamas]

Added UT for signer (for now does not assert much). Also verified locally the whole signing workflow along with agent, and it all works nicely, while verified produced signatures with gpg CLI.

The test on purpose use Ed25519 key, as that is where the future moves to.

[slawekjaranowski]

There are many new Factories ... do we need all of them?

[slawekjaranowski]

It is only one implementation of SignerArtifactGeneratorFactory
why we put it in new module ... maybe should be in maven-resolver-impl

[slawekjaranowski]

next factory similar to ArtifactGeneratorFactory

[slawekjaranowski]

This property ARTIFACT_SIGNER_ID is only used in this place .... why we add it?

[slawekjaranowski]

generatedArtifacts is an empty list at beginning - so how we discover artifacts to sign in artifactGenerator.generate

[slawekjaranowski]

ok - I see we heve materialized artifact list in org.eclipse.aether.generator.signer.SignerArtifactGenerator
It is look too complicated

[slawekjaranowski]

I only see that UnixDomainSocketAddress used in GpgAgentPasswordLoader requres JDK 16+
so I don't see connections with Jetty

[cstamas]

Originally it was 11 as Jetty 10.x we use as client and as server (in http-test) required 11, but now upped to 17.
Will change it: "jetty needs 11, generator-signer needs 17"

[cstamas]

fixed

[slawekjaranowski]

unused constant

[cstamas]

fixed

[slawekjaranowski]

keyId should also be provided by environment value

[cstamas]

fixed, now only exists "loaders" (3 of them: env, conf and agent)

[cstamas]

@slawekjaranowski general remark:

• spi defines ArtifactGenerators, there can exist more of those in the system
• generator-signer hooks into this (is one implementation of generators), and define Signers
• gpg is one Signer implementation

But also:

• there may be multiple generators, see how they are ordered, and the idea is that "signer generator" is last, and it should sign all the deployed but also "so far generated" artifacts (if they are relevant).
• gpg may not be the only one signer either
• moreover, another signer may sign differently than gpp. Gpg signs each artifact, but another signer may provide one signature for all "relevant" artifacts.

[cstamas]

@michael-o @slawekjaranowski @gnodet pls review again.

Reworked, as layout was "improper" for signer (is transport and remote repository related). What was actually missing was the ArtifactPredicate (that recognizes artifact hashes and also configured extensions without hashes). This config was never per-remote repository, so it felt right to be moved to new component. Maven2 repo layout updated accordingly. Finally, this change revealed a (doc) bug: remote repo checksums ARE configurable per remote repository, but doco did not reflect that.

[cstamas]

So to recap, what I tried to explain to Slawek. This PR:

• defines Artifact Generator SPI (there may be multiple of those present in system)
• defines Signer Artifact Generator that is one provider for SPI, that defines Signer API (there may be multiple of those present in system)
• implements GpgSigner that is one Signer implementation provided out of the box

Naturally, as generators are ordered, signer generator is expected to be "among last" and sign not only artifacts in request (install/deploy) but also "so far generated artifacts" (if they are relevant).

[gnodet]

So to recap, what I tried to explain to Slawek. This PR:

• defines Artifact Generator SPI (there may be multiple of those present in system)
• defines Signer Artifact Generator that is one provider for SPI, that defines Signer API (there may be multiple of those present in system)

Now that you put it that way, I'm not really convinced we need a Signer SPI here. The code of the ArtifactGenerator which calls the signers is trivial, so it seems to me that the GpgSigner could directly implement the Artifact Generator SPI.

• implements GpgSigner that is one Signer implementation provided out of the box

Naturally, as generators are ordered, signer generator is expected to be "among last" and sign not only artifacts in request (install/deploy) but also "so far generated artifacts" (if they are relevant).

[cstamas]

Now that you put it that way, I'm not really convinced we need a Signer SPI here. The code of the ArtifactGenerator which calls the signers is trivial, so it seems to me that the GpgSigner could directly implement the Artifact Generator SPI.

Agreed, will simplify it more, but the question begs: "generator-signer" module name becomes wrong, no? Should it be maybe "generator-gnupg (or gpg)" instead?

[gnodet]

Now that you put it that way, I'm not really convinced we need a Signer SPI here. The code of the ArtifactGenerator which calls the signers is trivial, so it seems to me that the GpgSigner could directly implement the Artifact Generator SPI.

Agreed, will simplify it more, but the question begs: "generator-signer" module name becomes wrong, no? Should it be maybe "generator-gnupg (or gpg)" instead?

Yes, I think that would make more sense.

[cstamas]

Collapsed code and renamed to generator-gnupg