View Javadoc
1   /*
2    * Licensed to the Apache Software Foundation (ASF) under one
3    * or more contributor license agreements.  See the NOTICE file
4    * distributed with this work for additional information
5    * regarding copyright ownership.  The ASF licenses this file
6    * to you under the Apache License, Version 2.0 (the
7    * "License"); you may not use this file except in compliance
8    * with the License.  You may obtain a copy of the License at
9    *
10   *   http://www.apache.org/licenses/LICENSE-2.0
11   *
12   * Unless required by applicable law or agreed to in writing,
13   * software distributed under the License is distributed on an
14   * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15   * KIND, either express or implied.  See the License for the
16   * specific language governing permissions and limitations
17   * under the License.
18   */
19  package org.eclipse.aether.generator.sigstore;
20  
21  import java.io.IOException;
22  import java.io.UncheckedIOException;
23  import java.nio.file.Files;
24  import java.nio.file.Path;
25  import java.security.GeneralSecurityException;
26  import java.security.cert.X509Certificate;
27  import java.time.temporal.ChronoUnit;
28  import java.util.ArrayList;
29  import java.util.Collection;
30  import java.util.Collections;
31  import java.util.function.Predicate;
32  
33  import dev.sigstore.KeylessSigner;
34  import dev.sigstore.KeylessSignerException;
35  import dev.sigstore.bundle.Bundle;
36  import dev.sigstore.encryption.certificates.Certificates;
37  import org.eclipse.aether.artifact.Artifact;
38  import org.eclipse.aether.generator.sigstore.internal.FulcioOidHelper;
39  import org.eclipse.aether.spi.artifact.generator.ArtifactGenerator;
40  import org.eclipse.aether.spi.io.PathProcessor;
41  import org.eclipse.aether.util.artifact.SubArtifact;
42  import org.slf4j.Logger;
43  import org.slf4j.LoggerFactory;
44  
45  final class SigstoreSignatureArtifactGenerator implements ArtifactGenerator {
46      private static final String ARTIFACT_EXTENSION = ".sigstore.json";
47      private final Logger logger = LoggerFactory.getLogger(getClass());
48      private final PathProcessor pathProcessor;
49      private final ArrayList<Artifact> artifacts;
50      private final Predicate<Artifact> signableArtifactPredicate;
51      private final boolean publicStaging;
52      private final ArrayList<Path> signatureTempFiles;
53  
54      SigstoreSignatureArtifactGenerator(
55              PathProcessor pathProcessor,
56              Collection<Artifact> artifacts,
57              Predicate<Artifact> signableArtifactPredicate,
58              boolean publicStaging) {
59          this.pathProcessor = pathProcessor;
60          this.artifacts = new ArrayList<>(artifacts);
61          this.signableArtifactPredicate = signableArtifactPredicate;
62          this.publicStaging = publicStaging;
63          this.signatureTempFiles = new ArrayList<>();
64          logger.debug("Created sigstore generator (publicStaging={})", publicStaging);
65      }
66  
67      @Override
68      public String generatorId() {
69          return SigstoreSignatureArtifactGeneratorFactory.NAME;
70      }
71  
72      @Override
73      public Collection<? extends Artifact> generate(Collection<? extends Artifact> generatedArtifacts) {
74          try {
75              artifacts.addAll(generatedArtifacts);
76  
77              // back out if Sigstore signatures found among artifacts
78              if (artifacts.stream().anyMatch(a -> a.getExtension().endsWith(ARTIFACT_EXTENSION))) {
79                  logger.debug("Sigstore signatures are present among artifacts, bailing out");
80                  return Collections.emptyList();
81              }
82  
83              // sign relevant artifacts
84              ArrayList<Artifact> result = new ArrayList<>();
85              ClassLoader originalClassLoader = Thread.currentThread().getContextClassLoader();
86              Thread.currentThread().setContextClassLoader(KeylessSigner.class.getClassLoader());
87              try (KeylessSigner signer = publicStaging
88                      ? KeylessSigner.builder().sigstoreStagingDefaults().build()
89                      : KeylessSigner.builder().sigstorePublicDefaults().build()) {
90                  for (Artifact artifact : artifacts) {
91                      if (signableArtifactPredicate.test(artifact)) {
92                          Path fileToSign = artifact.getPath();
93                          Path signatureTempFile = Files.createTempFile("signer-sigstore", "tmp");
94                          signatureTempFiles.add(signatureTempFile);
95  
96                          logger.debug("Signing " + artifact);
97                          long start = System.currentTimeMillis();
98                          Bundle bundle = signer.signFile(fileToSign);
99  
100                         X509Certificate cert = (X509Certificate)
101                                 bundle.getCertPath().getCertificates().get(0);
102                         long durationMinutes = Certificates.validity(cert, ChronoUnit.MINUTES);
103 
104                         logger.debug("  Fulcio certificate (valid for "
105                                 + durationMinutes
106                                 + " m) obtained for "
107                                 + cert.getSubjectAlternativeNames()
108                                         .iterator()
109                                         .next()
110                                         .get(1)
111                                 + " (by "
112                                 + FulcioOidHelper.getIssuerV2(cert)
113                                 + " IdP)");
114 
115                         pathProcessor.write(signatureTempFile, bundle.toJson());
116 
117                         long duration = System.currentTimeMillis() - start;
118                         logger.debug("  > Rekor entry "
119                                 + bundle.getEntries().get(0).getLogIndex()
120                                 + " obtained in "
121                                 + duration
122                                 + " ms, saved to "
123                                 + signatureTempFile);
124 
125                         result.add(new SubArtifact(
126                                 artifact,
127                                 artifact.getClassifier(),
128                                 artifact.getExtension() + ARTIFACT_EXTENSION,
129                                 signatureTempFile.toFile()));
130                     }
131                 }
132             } finally {
133                 Thread.currentThread().setContextClassLoader(originalClassLoader);
134             }
135             logger.info("Signed {} artifacts with Sigstore", result.size());
136             return result;
137         } catch (GeneralSecurityException e) {
138             throw new IllegalArgumentException("Preparation problem", e);
139         } catch (KeylessSignerException e) {
140             throw new IllegalStateException("Processing problem", e);
141         } catch (IOException e) {
142             throw new UncheckedIOException("IO problem", e);
143         }
144     }
145 
146     @Override
147     public void close() {
148         signatureTempFiles.forEach(p -> {
149             try {
150                 Files.deleteIfExists(p);
151             } catch (IOException e) {
152                 p.toFile().deleteOnExit();
153             }
154         });
155     }
156 }