-
-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add parameter 'strictNoSignature' to make missing signatures explicit in keys map #44
Conversation
…the keys map. In order to detect and support the use cases "some version of artifact comes without signature" and "strict preselection of artifacts having no signature", the property 'strictNoSignature' will refer to the keys map to verify whether or not having no signature is acceptable for each unsigned artifact. This mode is less strict than 'failNoSignature' as it will be able to accomodate artifacts without signature. At the same time it provides explicit control over which artifacts are acceptable without signature.
I haven't discussed the approach prior to implementation simply because the implementation turned out to be trivial. Let me know any feedback you might have or in case you want to take a different approach. |
- Undid unnecessary change. Remnant of previous experiment. - Updated documentation to better explain how the new configuration parameter strictNoSignature works and what it expects from the keys map content.
Thank you for your collaboration. Please also look at sonar report result. |
@@ -356,7 +376,7 @@ private void verifyArtifacts(Set<Artifact> artifacts) | |||
for (Artifact artifact : artifacts) { | |||
final Artifact ascArtifact = resolveAscArtifact(artifact); | |||
|
|||
if (ascArtifact != null) { | |||
if (ascArtifact != null || strictNoSignature) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move this logic to resolveAscArtifact method - so we don't need null to map
@@ -481,6 +501,9 @@ private void verifyArtifactSignatures(Map<Artifact, Artifact> artifactToAsc) | |||
|
|||
private boolean verifyPGPSignature(Artifact artifact, Artifact ascArtifact) | |||
throws MojoFailureException { | |||
if (ascArtifact == null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it will be not necessary if we don't put nulls
@@ -391,7 +411,7 @@ private Artifact resolveAscArtifact(Artifact artifact) throws MojoExecutionExcep | |||
if (failNoSignature) { | |||
getLog().error("No signature for " + artifact.getId()); | |||
throw new MojoExecutionException("No signature for " + artifact.getId()); | |||
} else { | |||
} else if (!strictNoSignature) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
call verifySignatureUnavailable in this place and throw exception - so only this place will be changed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC this will result in build failing at the first unlisted, unsigned artifact. So you lose the ability to list all unsigned artifacts, so the user can solve them in one go. Your thoughts?
some IT test will be good for code coverage |
The weak signatures-check was mixed up with the PGP signature verification result handling. This is not necessary, given that it is an independent operation, which relies on very little information other than the signature information. Hence moved out to improve readability.
@slawekjaranowski I have moved the weak signature-check up out of the PGP signature content check. This makes the logic a lot more readable and reduces nesting. Could you have a look if you agree, given that this reorders the checks and thus messaging order. |
I will follow up on further comments later. |
once again thank you |
Added maven configuration parameter
strictNoSignature
to express missing signatures for individual artifacts akin to how public keys are specified, in the keys map.The following use cases are covered:
failNoSignature
is too strict.)Features:
quiet
parameter is respected.