Skip to content

Releases: siemens/cmp-ra-component

v2.5.0: Remove unused signing GUI tool (#24)

04 Apr 08:45
@Akretsch Akretsch
v2.5.0
b486999
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.5.0: Remove unused signing GUI tool (#24) Pre-release
Pre-release 
* Add logic for code quality checks

* Apply auto-formatting

This commit does not introduce any semantic changes in the code,
it is only the result of applying the Palantir Java style.

* Remove logic unrelated to style-checks

* Add logic for code quality checks

* Integrate additional code quality checks

* Version bump

* Integrate Jacoco into SonarCloud's analysis

* Activate dependancy monitor provided by Github

* build(deps): bump maven-surefire-plugin from 2.22.0 to 2.22.2

Bumps [maven-surefire-plugin](https://github.com/apache/maven-surefire) from 2.22.0 to 2.22.2.
- [Release notes](https://github.com/apache/maven-surefire/releases)
- [Commits](https://github.com/apache/maven-surefire/compare/surefire-2.22.0...surefire-2.22.2)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-surefire-plugin
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump maven-jar-plugin from 3.2.2 to 3.3.0

Bumps [maven-jar-plugin](https://github.com/apache/maven-jar-plugin) from 3.2.2 to 3.3.0.
- [Release notes](https://github.com/apache/maven-jar-plugin/releases)
- [Commits](https://github.com/apache/maven-jar-plugin/compare/maven-jar-plugin-3.2.2...maven-jar-plugin-3.3.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-jar-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump maven-dependency-plugin from 3.3.0 to 3.5.0

Bumps [maven-dependency-plugin](https://github.com/apache/maven-dependency-plugin) from 3.3.0 to 3.5.0.
- [Release notes](https://github.com/apache/maven-dependency-plugin/releases)
- [Commits](https://github.com/apache/maven-dependency-plugin/compare/maven-dependency-plugin-3.3.0...maven-dependency-plugin-3.5.0)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-dependency-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump maven-javadoc-plugin from 3.3.1 to 3.4.1

Bumps [maven-javadoc-plugin](https://github.com/apache/maven-javadoc-plugin) from 3.3.1 to 3.4.1.
- [Release notes](https://github.com/apache/maven-javadoc-plugin/releases)
- [Commits](https://github.com/apache/maven-javadoc-plugin/compare/maven-javadoc-plugin-3.3.1...maven-javadoc-plugin-3.4.1)

---
updated-dependencies:
- dependency-name: org.apache.maven.plugins:maven-javadoc-plugin
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump slf4j-simple from 1.7.36 to 2.0.6

Bumps [slf4j-simple](https://github.com/qos-ch/slf4j) from 1.7.36 to 2.0.6.
- [Release notes](https://github.com/qos-ch/slf4j/releases)
- [Commits](https://github.com/qos-ch/slf4j/compare/v_1.7.36...v_2.0.6)

---
updated-dependencies:
- dependency-name: org.slf4j:slf4j-simple
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* Add GUI for interactive signing

* Complete GUI for the sign process

* Adjust GUI script, skeleton of build logic

* Separate SonarCloud analysis from OWASP dependency checker

* Address CVE-2021-26291

jacoco-maven-plugin has some dependencies of its own, we override one
of them

* Integrate sign logic into CI

* Adjust sign logic

* Take path to signature file as command line arg

* Adjust CI to also build sources jar

* Invoke signer for the sources jar as well

* Build and sign the javadoc jar too

* Compute hashes of files to be signed, for subsequent uploading to Maven

* Add workflow for publishing to Nexus as a snapshot

* Fix file name in CI job

* Include SHA1 in the produced hashes, Maven Central requires them

* Upload to Maven + prettify CI run commands

* Dance around SignClient's current working dir limitations

* Pass all generated files in target/ between jobs

Otherwise mvn jar:jar in the next job will produce an empty jar

* Preserve artifacts at the very end of the process

Signatures, hashes and the jars themselves

* Bump version to 2.2.3

To test if this will take and upload the signatures

* Update POM details to meet Maven Central requirements

* Copy pom.xml to the target directory and sign it too

* Add maven-gpg-plugin + dummy gpg wrapper

We sign it with SignClient, so we don't need the GPG-related logic, but
it seems that unless this plugin is included, signatures are not even
checked for.

* Adjust pom.xml signing logic + gpg dummy wrapper logic

* Make the dummy GPG wrapper behave more like the real GPG

* Copy all the jars and sigs to nexus' staging directory before staging

* Recreate the nexus staging directory

This is needed when dealing with a freshly checked-out repo

* Build sources and javadoc at the same time you do the packaging

* Build and sign on the same machine

* Try to build and sign twice, let the first operation fail

* Use alterantive approach, by pretending we're GPG

* Update Python GPG wrapper

The original Powershell wrapper cannot be invoked as a standalone
executable (akin to having an executable script on *nix). This is
a workaround.

* Use ECDSA instead of RSA, apply client authentication

* Use the signrequest feature of SignServer

* Use smart card pkcs11 authentication for signing

* Provide key alias to signClient, load it from config

* Adjust GUI, change labels, text size, widget order

Just some cosmetic changes

* Improve logging when invoking signclient

* Interrupt entire signature process when a single failure occurs

* Transmit key alias in quotes, and escape them

Otherwise, if the key alias contains spaces, the process will fail

* Use a RichText widget for rendering the paths

The file names will be bold, to make them stand out

* Use a BAT file wrapper instead of Python

This is a much better way to wrap gpg-wrap.ps1, since there is no
dependency on Python or the need to run a binary compiled by nuitka
or something like it.

* Remove cruft, update comments

* Remove cruft from Github action, trigger build/sign on release

* Suppress a false positive detection of CVE-2022-45688 + cleanup

* Do not invoke GPG signatures in jobs where it doesn't matter

* Remove unused sign-gui script for single files

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Assets 2
Loading