Go back to shelling out to gpg. Bouncy Castle is a pit of horrors.

dev-resources/hooke-1.1.1.pom

@@ -0,0 +1,75 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <groupId>robert</groupId>
+  <artifactId>hooke</artifactId>
+  <packaging>jar</packaging>
+  <version>1.2.0</version>
+  <name>hooke</name>
+  <licenses>
+    <license>
+      <name>Eclipse Public License</name>
+      <url>http://www.eclipse.org/legal/epl-v10.html</url>
+    </license>
+  </licenses>
+  <scm>
+    <connection>scm:git:git://github.com/technomancy/robert-hooke.git</connection>
+    <developerConnection>scm:git:ssh://git@github.com/technomancy/robert-hooke.git</developerConnection>
+    <tag>e0d11489a2421592a545847d352f168a939eafeb</tag>
+    <url>https://github.com/technomancy/robert-hooke</url>
+  </scm>
+  <build>
+    <sourceDirectory>src</sourceDirectory>
+    <testSourceDirectory>test</testSourceDirectory>
+    <resources>
+      <resource>
+        <directory>resources</directory>
+      </resource>
+    </resources>
+    <testResources>
+      <testResource>
+        <directory>dev-resources</directory>
+      </testResource>
+      <testResource>
+        <directory>resources</directory>
+      </testResource>
+    </testResources>
+    <directory>target</directory>
+    <outputDirectory>target/classes</outputDirectory>
+  </build>
+  <repositories>
+    <repository>
+      <id>central</id>
+      <url>http://repo1.maven.org/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </repository>
+    <repository>
+      <id>clojars</id>
+      <url>https://clojars.org/repo/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
+    </repository>
+  </repositories>
+  <dependencies>
+    <dependency>
+      <groupId>org.clojure</groupId>
+      <artifactId>clojure</artifactId>
+      <version>1.4.0</version>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>
+
+<!-- This file was autogenerated by Leiningen.
+  Please do not edit it directly; instead edit project.clj and regenerate it.
+  It should not be considered canonical data. For more information see
+  https://github.com/technomancy/leiningen -->

dev-resources/hooke-1.1.2.jar.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iQEbBAABAgAGBQJQdJMAAAoJEE0jHTttgAF4mv0H+I0Cut5EbKnvCZctY9KvJJqN
+07Q4f8gwq7kPx/DGtIyd9rXTSchg0j5R/rg19MSM8yXF+LoYbrmTsqkjkiSu4Sv8
+M3bbeIfxD0rBtu2jmb6zqQcbPX3/j+urdqZKRdqeLvK3sr1fjbqUfTzyG1+hvsJR
+uP3R8a74UKDiRLhaBn/HtH0Kl8t236TGWBbVdXO57YggdXw1CJm32jjU14PUB6mp
+Vee90bFhiNv03i07c+NETmOQiiR+AohP7Iom4lYzs6IaotdejXyuyNbKlIbpDSqu
+YS9Ez0OvB60zSseht2V0eqa+/PANDIUskUr1SRVKF6sfWSCGZsWCNAbGdJb53w==
+=+70a
+-----END PGP SIGNATURE-----

dev-resources/hooke-1.1.2.pom

@@ -1,15 +1,23 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<project>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
   <modelVersion>4.0.0</modelVersion>
   <groupId>robert</groupId>
   <artifactId>hooke</artifactId>
-  <version>1.1.2</version>
+  <packaging>jar</packaging>
+  <version>1.2.0</version>
   <name>hooke</name>
   <description>Hooke your functions!</description>
+  <url>https://github.com/technomancy/robert-hooke</url>
+  <licenses>
+    <license>
+      <name>Eclipse Public License</name>
+      <url>http://www.eclipse.org/legal/epl-v10.html</url>
+    </license>
+  </licenses>
   <scm>
     <connection>scm:git:git://github.com/technomancy/robert-hooke.git</connection>
     <developerConnection>scm:git:ssh://git@github.com/technomancy/robert-hooke.git</developerConnection>
-    <tag>19ce36f7a3b0704cdcde821ebf4b4721ec903efb</tag>
+    <tag>e0d11489a2421592a545847d352f168a939eafeb</tag>
     <url>https://github.com/technomancy/robert-hooke</url>
   </scm>
   <build>
@@ -22,34 +30,48 @@
     </resources>
     <testResources>
       <testResource>
-        <directory>test-resources</directory>
+        <directory>dev-resources</directory>
+      </testResource>
+      <testResource>
+        <directory>resources</directory>
       </testResource>
     </testResources>
+    <directory>target</directory>
+    <outputDirectory>target/classes</outputDirectory>
   </build>
   <repositories>
     <repository>
       <id>central</id>
-      <url>http://repo1.maven.org/maven2</url>
-    </repository>
-    <repository>
-      <id>clojure</id>
-      <url>http://build.clojure.org/releases</url>
-    </repository>
-    <repository>
-      <id>clojure-snapshots</id>
-      <url>http://build.clojure.org/snapshots</url>
+      <url>http://repo1.maven.org/maven2/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
     </repository>
     <repository>
       <id>clojars</id>
-      <url>http://clojars.org/repo/</url>
+      <url>https://clojars.org/repo/</url>
+      <snapshots>
+        <enabled>true</enabled>
+      </snapshots>
+      <releases>
+        <enabled>true</enabled>
+      </releases>
     </repository>
   </repositories>
   <dependencies>
     <dependency>
       <groupId>org.clojure</groupId>
       <artifactId>clojure</artifactId>
-      <version>1.3.0-beta1</version>
+      <version>1.4.0</version>
       <scope>test</scope>
     </dependency>
   </dependencies>
 </project>
+
+<!-- This file was autogenerated by Leiningen.
+  Please do not edit it directly; instead edit project.clj and regenerate it.
+  It should not be considered canonical data. For more information see
+  https://github.com/technomancy/leiningen -->

dev-resources/hooke-1.1.2.pom.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+iQEcBAABAgAGBQJQdJL4AAoJEE0jHTttgAF4neIH/3P2E6PcNXMJUZWVrIC+YK1b
+FdnuUqL+a8mLYOT1gJkYdnIMM+GhgfWTi6MNTOtaO7ctE1i6rPk2ulW3wCybjN4G
+UwosW1uGthnOjlMcfaOB5hzq71emwgMslmyUn3OhN5qddw4StPuBL166Hj0ebd5M
+QdKFmWLekRJDXzKZ9+cv/MJ19MI3NTrQ1q8dCmfwOJp28WnwQvhg/RMiTRr/q5wE
+RYov2zs57bbEPVH9MvYPJW3EjgxAMdxpDg+7pyrFALdiZum/o8O6BluMTrOz8gEj
+ruD3Z2avIhRVMJGISA2vK9ffdv6NSjgUNRktbi2+n4t31oJJ8xWlDg07zLUscbQ=
+=zHFU
+-----END PGP SIGNATURE-----

project.clj

@@ -11,7 +11,6 @@
                  [hiccup "1.0.1"]
                  [cheshire "2.2.2"]
                  [korma "0.3.0-beta10"]
-                 [alice "0.0.1-SNAPSHOT"]
                  [org.clojars.ato/nailgun "0.7.1"]
                  [org.xerial/sqlite-jdbc "3.6.17"]
                  [org.apache.commons/commons-email "1.2"]

src/clojars/promote.clj

@@ -5,12 +5,12 @@
             [clojure.java.io :as io]
             [clojure.java.shell :as sh]
             [clojure.java.jdbc :as sql]
-            [alice.sign :as sign]
+            [clojure.string :as str]
             [cemerick.pomegranate.aether :as aether]
             [korma.core :refer [select fields where update set-fields]])
   (:import (java.util.concurrent LinkedBlockingQueue)
            (org.springframework.aws.maven SimpleStorageServiceWagon)
-           (java.io ByteArrayInputStream)))
+           (java.io File ByteArrayInputStream PrintWriter)))
 
 (defn file-for [group artifact version extension]
   (let [filename (format "%s-%s.%s" artifact version extension)]
@@ -31,14 +31,21 @@
     blockers
     (conj blockers (str "Missing " (name field)))))
 
-(defn signed-with? [file sig-file key]
-  (try (sign/verify file sig-file (ByteArrayInputStream. (.getBytes key)))
-       (catch Exception e false)))
+;; if you think this looks crazy, you should see what it looked like
+;; with bouncy castle.
+(defn signed-with? [file sig-file keys]
+  (let [temp-home (str (doto (File/createTempFile "clojars" "gpg")
+                         .delete .mkdirs (.setReadable true true)))]
+    (sh/sh "gpg" "--homedir" home "--import" :in (str/join "\n" keys))
+    (let [{:keys [exit out err]} (sh/sh "gpg" "--homedir" temp-home
+                                        "--verify" (str sig-file) (str file))]
+      (doseq [f (reverse (file-seq (io/file temp-home)))] (.delete f))
+      (zero? exit))))
 
 (defn signed? [blockers file keys]
   (let [sig-file (str file ".asc")]
     (if (and (.exists (io/file sig-file))
-             (some (partial signed-with? file sig-file) keys))
+             (signed-with? file sig-file keys))
       blockers
       (conj blockers (str file " is not signed.")))))
 
@@ -56,7 +63,8 @@
         pom (file-for group name version "pom")
         keys (db/group-keys group)
         info (try (maven/pom-to-map pom)
-                  (catch Exception _ {}))]
+                  (catch Exception e
+                    (.printStackTrace e) {}))]
     ;; TODO: convert this to a lazy seq for cheaper qualification checks
     (-> []
         (check-version version)

test-resources/pubring.gpg

@@ -0,0 +1,31 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+mQENBFBEo6YBCACv0iWDO5fdM0i5XRcxJ8yZecKPKDyJ8wsnHq1oI2/ZM5sCilMA
+eiZ4gAQbLG2xkwR/A/Cdu2OWl44m2P4tPkV7Pg75MnjYFYsMCZf8OvRugXpNYmNK
+OLKY4ydsJDKSo+nEAmR1ePuxj/IdJUjlUA77hgREZJb/BaqKEJ9JuH1kLg967p1/
+4fjQ4+LapuB3cKQdObqxDlMxTHKO0lOwpabHJBpZL+q9bAhjcT/Ij9clU3aIG+w+
+PWvov+3wjKLA7WLoHCCQEkdnuulvoIfTZN6rvhWbUEoTJJPVcexxAbwIEgtRTxm6
+50H6lWX58i2+W8GLL+4f0OuMMnRe7WKVMoFJABEBAAG0F0FsaWNlIDxhbGljZUBh
+bGljZS5jb20+iQE4BBMBAgAiBQJQRKOmAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIe
+AQIXgAAKCRBNIx07bYABeG1ZCACcAWeaoxZp3dvBaXBOHEL77eFDBafarZHJPKaM
+1RAhMnBXI4FxfgXWyUm+Hdr0wcZevyPQaHnUV/HN2ne24fJJUFxoCsKR0FEKj3g5
+n8T0IDK6b8FsL/o04fc7OFABvCX8LSF5t9NM4+pTzxwz0kJv25tqzy9wqMxb2kUH
+BpxKsDw5jKhvnjictgDajzKbjgvqwXJL6XiyRSsWQGUnzz17yyrzlpxIOAX3jQkv
+9uG5bkvSm1SIAMz0Sc4bu+nJmr/S47TTbLhoqIkLP7+xmopfJR+fLYlE04br/yoF
+10ZkrboZ9NpW5U/ku7xbAoySLJuI7b3Bx2eGwnq3Fl/AxgJ2uQENBFBEo6YBCADU
+iIXu+Y18Zia6wAFk1+o3cbLgbh4YF6AnYCwIadxFYEKtPhiHhvrzyM2I4CPRp8ib
+VAuHkZ1+M6Z1sKcEJ8nEMAZhW3COBevQVmgnVWprf+IUZMHMVF1zzefYqJyR0dg/
+faq4jpr3dg4Tl1QzpKMfu5FibQYEZJ/WixBMf60AybvtohPENSdgQorlrXryNy3H
+BuXPeFiAUiLB1lXf+Y95bIASZeIb0jyId2z0m4fgvTsL+0eEerla8BcIQL7Dcurm
+9zNuzRuqzP7l564+thyhmmmoPg8uv17nOXriOFkdg6VtBCrS/iSC1BZ7liCiWUMJ
+1YWWDPSvBIhdffddUWn/ABEBAAGJAR8EGAECAAkFAlBEo6YCGwwACgkQTSMdO22A
+AXgiIAf/VdceyGR7uFHp1T/IJpnK5uxX1sD2vzUdaSHl7OAxrS5QZy4Dh8Femope
++wsCd60n/vNngxAxnPn0cF444It1cKY7fEMzclkVolm5qqzMOsIgfuyAKTz7C7Uw
+pPLHghqqlKWr5rfCBHqEPs28XBsY256j0UXp5WqdxXBFlJTr3yv5ctppsYQjmQjo
+V3djzajC8SDdZJpuywYP27V5TqjoiZ1Bama0O1GuokKLHdN0/BqaXnM/dCoZNUQi
+JZ0XONv7klUFq+JGYsLsoQdRrftG2x5+aCQPuM0K07RG8BwLTkEBpwZsGCR0ZW2s
+JoCpAvvMaeSzQYGG0M3jhDhiAbcpFQ==
+=tell
+-----END PGP PUBLIC KEY BLOCK-----
+

test/clojars/test/unit/promote.clj

@@ -2,21 +2,58 @@
   (:require [clojure.test :refer :all]
             [clojars.promote :refer :all]
             [clojure.java.io :as io]
-            [clojars.maven :as maven]))
+            [clojars.maven :as maven]
+            [clojars.db :as db]
+            [clojars.test.test-helper :as help]))
 
-;; TODO: need to seed the test repo for these tests now
+(help/use-fixtures)
 
-#_(deftest test-snapshot-blockers
+(defn copy-resource [version & [extension]]
+  (let [extension (or extension "pom")]
+    (.mkdirs (.getParentFile (file-for "robert" "hooke" version "")))
+    (io/copy (io/reader (io/resource (str "hooke-" version "." extension)))
+             (file-for "robert" "hooke" version extension))))
+
+(deftest test-snapshot-blockers
   (is (= ["Snapshot versions cannot be promoted"
           "Missing file hooke-1.2.0-SNAPSHOT.jar"
           "Missing file hooke-1.2.0-SNAPSHOT.pom"]
-         (blockers {:group "robert" :name "hooke" :version "1.2.0-SNAPSHOT"}))))
+         (take 3 (blockers {:group "robert" :name "hooke"
+                            :version "1.2.0-SNAPSHOT"})))))
+
+(deftest test-metadata-blockers
+  (copy-resource "1.1.1")
+  (is (clojure.set/subset? #{"Missing url" "Missing description"}
+                           (set (blockers {:group "robert" :name "hooke"
+                                           :version "1.1.1"})))))
+
+(deftest test-unsigned
+  (copy-resource "1.1.2")
+  (is (= #{"data/dev_repo/robert/hooke/1.1.2/hooke-1.1.2.pom is not signed."
+           "data/dev_repo/robert/hooke/1.1.2/hooke-1.1.2.jar is not signed."
+           "Missing file hooke-1.1.2.jar"}
+                           (set (blockers {:group "robert" :name "hooke"
+                                           :version "1.1.2"})))))
+
+(deftest test-success
+  (copy-resource "1.1.2")
+  (io/copy "dummy hooke jar file"
+           (file-for "robert" "hooke" "1.1.2" "jar"))
+  (copy-resource "1.1.2" "jar.asc")
+  (copy-resource "1.1.2" "pom.asc")
+  (db/add-user "test@ex.com" "testuser" "password" "asdf"
+               (slurp "test-resources/pubring.gpg"))
+  (db/add-member "robert" "testuser")
+  (is (empty? (blockers {:group "robert" :name "hooke" :version "1.1.2"}))))
 
-#_(deftest test-metadata-blockers
-  (.mkdirs (.getParentFile (file-for "robert" "hooke" "1.1.2" "pom")))
-  (io/copy (.getPath (io/resource "hooke-1.1.2.pom"))
-           (file-for "robert" "hooke" "1.1.2" "pom"))
-  (spit (file-for "robert" "hooke" "1.1.2" "pom") "")
-  (spit (file-for "robert" "hooke" "1.1.2" "jar") "")
-  (is (= ["Missing url"]
+(deftest test-failed-signature
+  (copy-resource "1.1.2")
+  (io/copy "dummy hooke jar file corrupted"
+           (file-for "robert" "hooke" "1.1.2" "jar"))
+  (copy-resource "1.1.2" "jar.asc")
+  (copy-resource "1.1.2" "pom.asc")
+  (db/add-user "test@ex.com" "testuser" "password" "asdf"
+               (slurp "test-resources/pubring.gpg"))
+  (db/add-member "robert" "testuser")
+  (is (= ["data/dev_repo/robert/hooke/1.1.2/hooke-1.1.2.jar is not signed."]
          (blockers {:group "robert" :name "hooke" :version "1.1.2"}))))