From 825422d25003eefaccff2f15216ddb8330cdd5cb Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Tue, 14 Feb 2023 21:17:45 -0600
Subject: [PATCH 01/10] Sign created artifacts, document updated processes

Fixes #446
---
 README.md | 45 +++++++++++++++++++++++++--------------------
 pom.xml   | 36 +++++++++++++++++++++++++++++++++++-
 2 files changed, 60 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index 4b0c9a3b..98fad5a2 100644
--- a/README.md
+++ b/README.md
@@ -12,12 +12,6 @@ The Google Cloud Tools team has put a significant amount of effort in helping br
 
 * [Google Cloud Tools](https://cloud.google.com/)
 
-### Sencha
-Sencha provides man power to help update the plugin and the build server which automates the build. 
-
-  [![Sencha GXT](http://cdn.sencha.com/img/gwt-eclipse-plugin-banner.png)](https://www.sencha.com/products/gxt/)
-
-
 ## Quality
 * This plugin is Beta Quality. 
 
@@ -61,17 +55,17 @@ The Eclipse repositories for this plugin.
 ### Production
 Release update site. 
 
-* [http://storage.googleapis.com/gwt-eclipse-plugin/v3/release](http://storage.googleapis.com/gwt-eclipse-plugin/v3/release)
+* [Eclipse Marketplace entry for the GWT Plugin](https://marketplace.eclipse.org/content/gwt-plugin)
+* [Update sites for the GWT Plugin](https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/)
 
 ### Production Zip
-Download the repo in a zip file. 
-
-* [http://storage.googleapis.com/gwt-eclipse-plugin/v3/downloads/repo-3.0.0.zip](http://storage.googleapis.com/gwt-eclipse-plugin/v3/downloads/repo-3.0.0.zip)
+Download the repo in a zip file from the latest release at the
+[releases page](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/).
 
 ### Staging
-Staging repo for testing before production release.
+The staging repository is also at plugins.gwtproject.org, under the `nightly` version:
 
-* [http://storage.googleapis.com/gwt-eclipse-plugin/v3/snapshot](http://storage.googleapis.com/gwt-eclipse-plugin/v3/snapshot)
+* [https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/](nightly)
 
 
 ## Development 
@@ -90,16 +84,27 @@ The target defintion build is based off of the Google Cloud Tools. Follow their
 * Note: The targets will have to be updated by setting the targets. This will regenerate the Eclipse target files.  
 
 ### Build
-Sencha has provided an internal build agent to build. 
-[Sencha Eclipse Build](https://teamcity.sencha.com/viewType.html?buildTypeId=Gxt3_Gwt_GwtEclipsePlugin)
-
-* `mvn clean install`
+To build, Apache Maven and Java 17 are required. Invoke `mvn verify` to build and test. The resulting
+update site can be found in `repo/target/repository` for local deployment and testing.
+
+### Release
+Creating a release requires signing artifacts. Set the following environment variables before running
+`mvn verify`:
+ * `SIGN_KEYSTORE` - Path to a pkcs12 keystore that contains a key to use to sign this release
+ * `SIGN_STOREPASS` - Passphrase for the keystore
+ * `SIGN_ALIAS` - Alias of the key to use to sign the release
+ * `SIGN_KEYPASS` - Passphrase for the key
+ * `SIGN_TSA` - URL of a Time stamp authority to use to sign this release
+ 
+ At this time, releases are performed manually. The releases deployed to the marketplace will be signed
+ with the certificate for `plugins.gwtproject.org`.
 
 ### Deploy
-Google storage write permissions are needed to deploy. 
-
-* `sh ./build-deploy-release.sh` - deploy production version
-* `sh ./build-deploy-snapshot.sh` - deploy snapshot version
+Releases are uploaded as zips to the [release](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/)
+part of the Github project page, and also deployed at
+https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin as Eclipse update sites. Releases will be
+added to the [GWT-Plugin](https://marketplace.eclipse.org/content/gwt-plugin) page on the Eclipse
+Marketplace.
 
 ### Testing
 There are a couple of archetypes that are used to test. 
diff --git a/pom.xml b/pom.xml
index 84b01857..62ac885f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -294,7 +294,41 @@
         <module>eclipse/ide-target-platform</module>
       </modules>
     </profile>
-
+    <profile>
+      <!-- We only sign the jars when the keystore has been provided in the environment -->
+      <id>sign-jars</id>
+      <activation>
+        <file>
+          <exists>${env.SIGN_KEYSTORE}</exists>
+        </file>
+      </activation>
+      <build>
+        <plugins>
+          <plugin>
+            <groupId>org.apache.maven.plugins</groupId>
+            <artifactId>maven-jarsigner-plugin</artifactId>
+            <version>3.0.0</version>
+            <configuration>
+              <keystore>${env.SIGN_KEYSTORE}</keystore>
+              <storepass>${env.SIGN_STOREPASS}</storepass>
+              <alias>${env.SIGN_ALIAS}</alias>
+              <keypass>${env.SIGN_KEYPASS}</keypass>
+              <storetype>${env.SIGN_STORETYPE}</storetype>
+              <tsa>${env.SIGN_TSA}</tsa>
+              <verbose>true</verbose>
+            </configuration>
+            <executions>
+              <execution>
+                <id>sign</id>
+                <goals>
+                  <goal>sign</goal>
+                </goals>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
     <profile>
       <id>teamcity</id>
       <properties>

From 85ac402bef94b7738842914bec3b136bd3358014 Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Sat, 18 Feb 2023 17:32:11 -0600
Subject: [PATCH 02/10] Use signing key to produce output (check for main
 disabled)

---
 .github/workflows/build.yml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d9c17e93..1a9ab530 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,6 +15,25 @@ jobs:
           java-version: '17'
           distribution: 'adopt'
 
+      - name: If present (and if on a branch that should be released), write the keystore to a file, and note it exists for the next step
+        # if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
+        id: keystore
+        run: |
+        if [ "${{ secrets.SIGN_KEYSTORE_CONTENTS }}" != '' ]; then
+          echo "available=true" >> $GITHUB_OUTPUT;
+          echo "${{ secrets.SIGN_KEYSTORE_CONTENTS }}" | base64 --decode > ${HOME}/key
+        else
+          echo "available=false" >> $GITHUB_OUTPUT;
+        fi
+      - name: Provide signing information as env vars, if the keystore was available
+        if: ${{ steps.keystore.outputs.available == 'true' }}
+        env:
+          SIGN_KEYSTORE: ${HOME}/key
+          SIGN_STOREPASS: ${{ secrets.SIGN_STOREPASS }}
+          SIGN_ALIAS: ${{ secrets.SIGN_ALIAS }}
+          SIGN_KEYPASS: ${{ secrets.SIGN_KEYPASS }}
+          SIGN_STORETYPE: ${{ secrets.SIGN_STORETYPE }}
+          SIGN_TSA: http://timestamp.digicert.com/
       - name: Build with Maven
         run: mvn --batch-mode --update-snapshots package
 

From ee9deb6026e3a3ef59975383778208b096ebcc26 Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Sat, 18 Feb 2023 17:40:01 -0600
Subject: [PATCH 03/10] Tidy up for review

---
 README.md | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index f0e86d04..3eaf2d01 100644
--- a/README.md
+++ b/README.md
@@ -47,10 +47,10 @@ Install from the Eclipse marketplace.
 
 
 ## Repository
-The Eclipse repositories for this plugin. 
+The Eclipse repositories for this plugin.
 
 ### Production
-Release update site. 
+Release update site.
 
 * [Eclipse Marketplace entry for the GWT Plugin](https://marketplace.eclipse.org/content/gwt-plugin)
 * [Update sites for the GWT Plugin](https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/)
@@ -61,14 +61,15 @@ Download the repo in a zip file from the latest release at the
 [4.0.0](https://github.com/gwt-plugins/gwt-eclipse-plugin/releases/download/v4.0.0/repository.zip)
 
 ### Staging
-The staging repository is also at plugins.gwtproject.org, under the `nightly` version:
+The staging repository is also at plugins.gwtproject.org, under the `nightly` version. At this time,
+these are signed with a self-signed certificate.
 
-* [https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/](nightly)
+* Nightly update site: https://plugins.gwtproject.org/eclipse/gwt-eclipse-plugin/nightly
 
-## Development 
+## Development
 
 ### Importing
-Simply use Maven to import all the plugins and modules. 
+Simply use Maven to import all the plugins and modules.
 
 * Use Eclipse Import and choose import with Existing Maven projects. Don't forget to select recursive import.  
 * Select all the projects and import them. This will create the .project, .classpath and .settings files. If some exist, they will be overwritten.  

From 6bc6a052572053c9e15f71ad7c952e7d86c404e4 Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Sat, 18 Feb 2023 17:44:41 -0600
Subject: [PATCH 04/10] Use intermediate env var for secret

---
 .github/workflows/build.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1a9ab530..a0b4ae90 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,10 +18,12 @@ jobs:
       - name: If present (and if on a branch that should be released), write the keystore to a file, and note it exists for the next step
         # if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
         id: keystore
+        env:
+          SIGN_KEYSTORE_CONTENTS: ${{ secrets.SIGN_KEYSTORE_CONTENTS }}
         run: |
-        if [ "${{ secrets.SIGN_KEYSTORE_CONTENTS }}" != '' ]; then
+        if [ "$SIGN_KEYSTORE_CONTENTS" != '' ]; then
           echo "available=true" >> $GITHUB_OUTPUT;
-          echo "${{ secrets.SIGN_KEYSTORE_CONTENTS }}" | base64 --decode > ${HOME}/key
+          echo "$SIGN_KEYSTORE_CONTENTS" | base64 --decode > ${HOME}/key
         else
           echo "available=false" >> $GITHUB_OUTPUT;
         fi

From 57e2fc4852ab3dfea3daf109a7e685a61066c536 Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Sat, 18 Feb 2023 20:42:30 -0600
Subject: [PATCH 05/10] try to appease inscrutable yml checks

---
 .github/workflows/build.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a0b4ae90..b1a22a62 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,12 +21,12 @@ jobs:
         env:
           SIGN_KEYSTORE_CONTENTS: ${{ secrets.SIGN_KEYSTORE_CONTENTS }}
         run: |
-        if [ "$SIGN_KEYSTORE_CONTENTS" != '' ]; then
-          echo "available=true" >> $GITHUB_OUTPUT;
-          echo "$SIGN_KEYSTORE_CONTENTS" | base64 --decode > ${HOME}/key
-        else
-          echo "available=false" >> $GITHUB_OUTPUT;
-        fi
+          if [ "$SIGN_KEYSTORE_CONTENTS" != '' ]; then
+            echo "available=true" >> $GITHUB_OUTPUT
+            echo "$SIGN_KEYSTORE_CONTENTS" | base64 --decode > ${HOME}/key
+          else
+            echo "available=false" >> $GITHUB_OUTPUT
+          fi
       - name: Provide signing information as env vars, if the keystore was available
         if: ${{ steps.keystore.outputs.available == 'true' }}
         env:

From faa1c5f8e6f4058d5d867dec67627ec52d36c1a3 Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Sat, 18 Feb 2023 20:47:44 -0600
Subject: [PATCH 06/10] correct step setup

---
 .github/workflows/build.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b1a22a62..94745342 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -27,7 +27,8 @@ jobs:
           else
             echo "available=false" >> $GITHUB_OUTPUT
           fi
-      - name: Provide signing information as env vars, if the keystore was available
+
+      - name: Build with maven (sign artifacts)
         if: ${{ steps.keystore.outputs.available == 'true' }}
         env:
           SIGN_KEYSTORE: ${HOME}/key
@@ -36,7 +37,10 @@ jobs:
           SIGN_KEYPASS: ${{ secrets.SIGN_KEYPASS }}
           SIGN_STORETYPE: ${{ secrets.SIGN_STORETYPE }}
           SIGN_TSA: http://timestamp.digicert.com/
-      - name: Build with Maven
+        run: mvn --batch-mode --update-snapshots package
+
+      - name: Build with maven (no signing)
+        if: ${{ steps.keystore.outputs.available != 'true' }}
         run: mvn --batch-mode --update-snapshots package
 
       - uses: actions/upload-artifact@v3

From b3da849e23621bdaf1e6e89e9f8bd9d504c06d78 Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Sat, 18 Feb 2023 20:58:54 -0600
Subject: [PATCH 07/10] Enable "don't sign except main and release branches"
 check

---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 94745342..caf5165e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,7 +16,7 @@ jobs:
           distribution: 'adopt'
 
       - name: If present (and if on a branch that should be released), write the keystore to a file, and note it exists for the next step
-        # if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
+        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
         id: keystore
         env:
           SIGN_KEYSTORE_CONTENTS: ${{ secrets.SIGN_KEYSTORE_CONTENTS }}

From 62a61f06fa5074362a6f129b1a0c7ebc3ee31060 Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Sun, 19 Feb 2023 13:30:12 -0600
Subject: [PATCH 08/10] Easier debugging unsigned output

---
 .github/workflows/build.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index caf5165e..1e113f8c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -16,17 +16,19 @@ jobs:
           distribution: 'adopt'
 
       - name: If present (and if on a branch that should be released), write the keystore to a file, and note it exists for the next step
-        if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
+        #if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/heads/release/')
         id: keystore
         env:
           SIGN_KEYSTORE_CONTENTS: ${{ secrets.SIGN_KEYSTORE_CONTENTS }}
         run: |
+          set -eux
           if [ "$SIGN_KEYSTORE_CONTENTS" != '' ]; then
             echo "available=true" >> $GITHUB_OUTPUT
             echo "$SIGN_KEYSTORE_CONTENTS" | base64 --decode > ${HOME}/key
           else
             echo "available=false" >> $GITHUB_OUTPUT
           fi
+          ls ${HOME}
 
       - name: Build with maven (sign artifacts)
         if: ${{ steps.keystore.outputs.available == 'true' }}
@@ -37,7 +39,10 @@ jobs:
           SIGN_KEYPASS: ${{ secrets.SIGN_KEYPASS }}
           SIGN_STORETYPE: ${{ secrets.SIGN_STORETYPE }}
           SIGN_TSA: http://timestamp.digicert.com/
-        run: mvn --batch-mode --update-snapshots package
+        run: |
+          set -eux
+          ls ${HOME}
+          mvn --batch-mode --update-snapshots package
 
       - name: Build with maven (no signing)
         if: ${{ steps.keystore.outputs.available != 'true' }}

From 599a5ed0139396a083f433d9a91df6dc488b4aa3 Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Sun, 19 Feb 2023 13:34:31 -0600
Subject: [PATCH 09/10] track down file contents...

---
 .github/workflows/build.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 1e113f8c..e12b74c4 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -41,7 +41,9 @@ jobs:
           SIGN_TSA: http://timestamp.digicert.com/
         run: |
           set -eux
-          ls ${HOME}
+          ls -l ${HOME}
+          ls -l ${HOME}/key
+          ls -l ${SIGN_KEYSTORE}
           mvn --batch-mode --update-snapshots package
 
       - name: Build with maven (no signing)

From 39f0940d4ae33a7c508d4f3b5c55bf6c0340986e Mon Sep 17 00:00:00 2001
From: Colin Alworth <colin@colinalworth.com>
Date: Sun, 19 Feb 2023 13:37:22 -0600
Subject: [PATCH 10/10] Read other envs to set this one

---
 .github/workflows/build.yml | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index e12b74c4..ecb19e4b 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -21,30 +21,22 @@ jobs:
         env:
           SIGN_KEYSTORE_CONTENTS: ${{ secrets.SIGN_KEYSTORE_CONTENTS }}
         run: |
-          set -eux
           if [ "$SIGN_KEYSTORE_CONTENTS" != '' ]; then
             echo "available=true" >> $GITHUB_OUTPUT
             echo "$SIGN_KEYSTORE_CONTENTS" | base64 --decode > ${HOME}/key
           else
             echo "available=false" >> $GITHUB_OUTPUT
           fi
-          ls ${HOME}
 
       - name: Build with maven (sign artifacts)
         if: ${{ steps.keystore.outputs.available == 'true' }}
         env:
-          SIGN_KEYSTORE: ${HOME}/key
           SIGN_STOREPASS: ${{ secrets.SIGN_STOREPASS }}
           SIGN_ALIAS: ${{ secrets.SIGN_ALIAS }}
           SIGN_KEYPASS: ${{ secrets.SIGN_KEYPASS }}
           SIGN_STORETYPE: ${{ secrets.SIGN_STORETYPE }}
           SIGN_TSA: http://timestamp.digicert.com/
-        run: |
-          set -eux
-          ls -l ${HOME}
-          ls -l ${HOME}/key
-          ls -l ${SIGN_KEYSTORE}
-          mvn --batch-mode --update-snapshots package
+        run: SIGN_KEYSTORE=${HOME}/key mvn --batch-mode --update-snapshots package
 
       - name: Build with maven (no signing)
         if: ${{ steps.keystore.outputs.available != 'true' }}