1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.aether.generator.sigstore;
20
21 import java.io.IOException;
22 import java.io.UncheckedIOException;
23 import java.nio.file.Files;
24 import java.nio.file.Path;
25 import java.security.GeneralSecurityException;
26 import java.security.cert.X509Certificate;
27 import java.time.temporal.ChronoUnit;
28 import java.util.ArrayList;
29 import java.util.Collection;
30 import java.util.Collections;
31 import java.util.List;
32 import java.util.concurrent.atomic.AtomicBoolean;
33 import java.util.function.Predicate;
34
35 import dev.sigstore.KeylessSigner;
36 import dev.sigstore.KeylessSignerException;
37 import dev.sigstore.bundle.Bundle;
38 import dev.sigstore.encryption.certificates.Certificates;
39 import dev.sigstore.trustroot.SigstoreConfigurationException;
40 import org.eclipse.aether.artifact.Artifact;
41 import org.eclipse.aether.generator.sigstore.internal.FulcioOidHelper;
42 import org.eclipse.aether.spi.artifact.generator.ArtifactGenerator;
43 import org.eclipse.aether.spi.io.PathProcessor;
44 import org.eclipse.aether.util.artifact.SubArtifact;
45 import org.slf4j.Logger;
46 import org.slf4j.LoggerFactory;
47
48 final class SigstoreSignatureArtifactGenerator implements ArtifactGenerator {
49 private static final String ARTIFACT_EXTENSION = ".sigstore.json";
50 private final Logger logger = LoggerFactory.getLogger(getClass());
51 private final PathProcessor pathProcessor;
52 private final List<Artifact> artifacts;
53 private final Predicate<Artifact> signableArtifactPredicate;
54 private final boolean publicStaging;
55 private final List<Path> signatureTempFiles;
56 private final AtomicBoolean closed;
57
58 SigstoreSignatureArtifactGenerator(
59 PathProcessor pathProcessor,
60 Collection<Artifact> artifacts,
61 Predicate<Artifact> signableArtifactPredicate,
62 boolean publicStaging) {
63 this.pathProcessor = pathProcessor;
64 this.artifacts = new ArrayList<>(artifacts);
65 this.signableArtifactPredicate = signableArtifactPredicate;
66 this.publicStaging = publicStaging;
67 this.signatureTempFiles = new ArrayList<>();
68 this.closed = new AtomicBoolean(false);
69 logger.debug("Created sigstore generator (publicStaging={})", publicStaging);
70 }
71
72 @Override
73 public String generatorId() {
74 return SigstoreSignatureArtifactGeneratorFactory.NAME;
75 }
76
77 @Override
78 public synchronized Collection<? extends Artifact> generate(Collection<? extends Artifact> generatedArtifacts) {
79 try {
80 artifacts.addAll(generatedArtifacts);
81
82
83 if (artifacts.stream().anyMatch(a -> a.getExtension().endsWith(ARTIFACT_EXTENSION))) {
84 logger.debug("Sigstore signatures are present among artifacts, bailing out");
85 return Collections.emptyList();
86 }
87
88
89 ArrayList<Artifact> result = new ArrayList<>();
90 ClassLoader originalClassLoader = Thread.currentThread().getContextClassLoader();
91 Thread.currentThread().setContextClassLoader(KeylessSigner.class.getClassLoader());
92 try (KeylessSigner signer = publicStaging
93 ? KeylessSigner.builder().sigstoreStagingDefaults().build()
94 : KeylessSigner.builder().sigstorePublicDefaults().build()) {
95 for (Artifact artifact : artifacts) {
96 if (signableArtifactPredicate.test(artifact)) {
97 Path fileToSign = artifact.getPath();
98 Path signatureTempFile = Files.createTempFile("signer-sigstore", "tmp");
99 signatureTempFiles.add(signatureTempFile);
100
101 logger.debug("Signing " + artifact);
102 long start = System.currentTimeMillis();
103 Bundle bundle = signer.signFile(fileToSign);
104
105 X509Certificate cert = (X509Certificate)
106 bundle.getCertPath().getCertificates().get(0);
107 long durationMinutes = Certificates.validity(cert, ChronoUnit.MINUTES);
108
109 logger.debug(" Fulcio certificate (valid for "
110 + durationMinutes
111 + " m) obtained for "
112 + cert.getSubjectAlternativeNames()
113 .iterator()
114 .next()
115 .get(1)
116 + " (by "
117 + FulcioOidHelper.getIssuerV2(cert)
118 + " IdP)");
119
120 pathProcessor.write(signatureTempFile, bundle.toJson());
121
122 long duration = System.currentTimeMillis() - start;
123 logger.debug(" > Rekor entry "
124 + bundle.getEntries().get(0).getLogIndex()
125 + " obtained in "
126 + duration
127 + " ms, saved to "
128 + signatureTempFile);
129
130 result.add(new SubArtifact(
131 artifact,
132 artifact.getClassifier(),
133 artifact.getExtension() + ARTIFACT_EXTENSION,
134 signatureTempFile.toFile()));
135 }
136 }
137 } finally {
138 Thread.currentThread().setContextClassLoader(originalClassLoader);
139 }
140 logger.info("Signed {} artifacts with Sigstore", result.size());
141 return result;
142 } catch (SigstoreConfigurationException e) {
143 throw new IllegalArgumentException("Configuration problem", e);
144 } catch (GeneralSecurityException e) {
145 throw new IllegalArgumentException("Preparation problem", e);
146 } catch (KeylessSignerException e) {
147 throw new IllegalStateException("Processing problem", e);
148 } catch (IOException e) {
149 throw new UncheckedIOException("IO problem", e);
150 }
151 }
152
153 @Override
154 public void close() {
155 if (closed.compareAndSet(false, true)) {
156 signatureTempFiles.forEach(p -> {
157 try {
158 Files.deleteIfExists(p);
159 } catch (IOException e) {
160 p.toFile().deleteOnExit();
161 }
162 });
163 }
164 }
165 }