View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.eclipse.aether.generator.sigstore;
20  
21  import java.io.IOException;
22  import java.io.UncheckedIOException;
23  import java.nio.file.Files;
24  import java.nio.file.Path;
25  import java.security.GeneralSecurityException;
26  import java.security.cert.X509Certificate;
27  import java.time.temporal.ChronoUnit;
28  import java.util.ArrayList;
29  import java.util.Collection;
30  import java.util.Collections;
31  import java.util.List;
32  import java.util.concurrent.atomic.AtomicBoolean;
33  import java.util.function.Predicate;
34  
35  import dev.sigstore.KeylessSigner;
36  import dev.sigstore.KeylessSignerException;
37  import dev.sigstore.bundle.Bundle;
38  import dev.sigstore.encryption.certificates.Certificates;
39  import dev.sigstore.trustroot.SigstoreConfigurationException;
40  import org.eclipse.aether.artifact.Artifact;
41  import org.eclipse.aether.generator.sigstore.internal.FulcioOidHelper;
42  import org.eclipse.aether.spi.artifact.generator.ArtifactGenerator;
43  import org.eclipse.aether.spi.io.PathProcessor;
44  import org.eclipse.aether.util.artifact.SubArtifact;
45  import org.slf4j.Logger;
46  import org.slf4j.LoggerFactory;
47  
48  final class SigstoreSignatureArtifactGenerator implements ArtifactGenerator {
49      private static final String ARTIFACT_EXTENSION = ".sigstore.json";
50      private final Logger logger = LoggerFactory.getLogger(getClass());
51      private final PathProcessor pathProcessor;
52      private final List<Artifact> artifacts;
53      private final Predicate<Artifact> signableArtifactPredicate;
54      private final boolean publicStaging;
55      private final List<Path> signatureTempFiles;
56      private final AtomicBoolean closed;
57  
58      SigstoreSignatureArtifactGenerator(
59              PathProcessor pathProcessor,
60              Collection<Artifact> artifacts,
61              Predicate<Artifact> signableArtifactPredicate,
62              boolean publicStaging) {
63          this.pathProcessor = pathProcessor;
64          this.artifacts = new ArrayList<>(artifacts);
65          this.signableArtifactPredicate = signableArtifactPredicate;
66          this.publicStaging = publicStaging;
67          this.signatureTempFiles = new ArrayList<>();
68          this.closed = new AtomicBoolean(false);
69          logger.debug("Created sigstore generator (publicStaging={})", publicStaging);
70      }
71  
72      @Override
73      public String generatorId() {
74          return SigstoreSignatureArtifactGeneratorFactory.NAME;
75      }
76  
77      @Override
78      public synchronized Collection<? extends Artifact> generate(Collection<? extends Artifact> generatedArtifacts) {
79          try {
80              artifacts.addAll(generatedArtifacts);
81  
82              // back out if Sigstore signatures found among artifacts
83              if (artifacts.stream().anyMatch(a -> a.getExtension().endsWith(ARTIFACT_EXTENSION))) {
84                  logger.debug("Sigstore signatures are present among artifacts, bailing out");
85                  return Collections.emptyList();
86              }
87  
88              // sign relevant artifacts
89              ArrayList<Artifact> result = new ArrayList<>();
90              ClassLoader originalClassLoader = Thread.currentThread().getContextClassLoader();
91              Thread.currentThread().setContextClassLoader(KeylessSigner.class.getClassLoader());
92              try (KeylessSigner signer = publicStaging
93                      ? KeylessSigner.builder().sigstoreStagingDefaults().build()
94                      : KeylessSigner.builder().sigstorePublicDefaults().build()) {
95                  for (Artifact artifact : artifacts) {
96                      if (signableArtifactPredicate.test(artifact)) {
97                          Path fileToSign = artifact.getPath();
98                          Path signatureTempFile = Files.createTempFile("signer-sigstore", "tmp");
99                          signatureTempFiles.add(signatureTempFile);
100 
101                         logger.debug("Signing " + artifact);
102                         long start = System.currentTimeMillis();
103                         Bundle bundle = signer.signFile(fileToSign);
104 
105                         X509Certificate cert = (X509Certificate)
106                                 bundle.getCertPath().getCertificates().get(0);
107                         long durationMinutes = Certificates.validity(cert, ChronoUnit.MINUTES);
108 
109                         logger.debug("  Fulcio certificate (valid for "
110                                 + durationMinutes
111                                 + " m) obtained for "
112                                 + cert.getSubjectAlternativeNames()
113                                         .iterator()
114                                         .next()
115                                         .get(1)
116                                 + " (by "
117                                 + FulcioOidHelper.getIssuerV2(cert)
118                                 + " IdP)");
119 
120                         pathProcessor.write(signatureTempFile, bundle.toJson());
121 
122                         long duration = System.currentTimeMillis() - start;
123                         logger.debug("  > Rekor entry "
124                                 + bundle.getEntries().get(0).getLogIndex()
125                                 + " obtained in "
126                                 + duration
127                                 + " ms, saved to "
128                                 + signatureTempFile);
129 
130                         result.add(new SubArtifact(
131                                 artifact,
132                                 artifact.getClassifier(),
133                                 artifact.getExtension() + ARTIFACT_EXTENSION,
134                                 signatureTempFile.toFile()));
135                     }
136                 }
137             } finally {
138                 Thread.currentThread().setContextClassLoader(originalClassLoader);
139             }
140             logger.info("Signed {} artifacts with Sigstore", result.size());
141             return result;
142         } catch (SigstoreConfigurationException e) {
143             throw new IllegalArgumentException("Configuration problem", e);
144         } catch (GeneralSecurityException e) {
145             throw new IllegalArgumentException("Preparation problem", e);
146         } catch (KeylessSignerException e) {
147             throw new IllegalStateException("Processing problem", e);
148         } catch (IOException e) {
149             throw new UncheckedIOException("IO problem", e);
150         }
151     }
152 
153     @Override
154     public void close() {
155         if (closed.compareAndSet(false, true)) {
156             signatureTempFiles.forEach(p -> {
157                 try {
158                     Files.deleteIfExists(p);
159                 } catch (IOException e) {
160                     p.toFile().deleteOnExit();
161                 }
162             });
163         }
164     }
165 }