Add pgp signing for bundles used directly from Maven Central See [1] and [2] for the GPG setup and tycho-gpg-plugin configuration. We do not pass the keyring passphrase on the maven command-line to ensure it is never written to any build log. Instead, configure the tycho-gpg-plugin to use <configuration> <passphrase>${env.EGIT_KEYRING_PASSPHRASE}</passphrase> ... </configuration> Also use temurin-jdk17-latest to run the build; it's required by Tycho 4.0.x, which in turn is needed to force signing of the BouncyCastle bundles. [1] https://docs.google.com/document/d/1MnDBvOUwKvKacB-QKnH_PzK88dUlHkjs-D-DWEKmvkY [2] https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/3078 Change-Id: Iabd45f8e6fb03cb61d86650058a6ac08645500d7

commit: 28d94eeedcd0bfffde5a33b4c99b02bfabdaedf5 [log] [tgz]
author: Matthias Sohn <matthias.sohn@sap.com> Mon May 22 17:19:15 2023 +0200
committer: Thomas Wolf <twolf@apache.org> Mon May 22 22:25:21 2023 +0200
tree: f05898fd5aaa33be6d6cd4ac08eab77fbc3fc5b6
parent: 9397f5fded6560811abc1946de5785f626811232 [diff]
diff --git a/vars/egitProductBuild.groovy b/vars/egitProductBuild.groovy
index 5b6146d..4b028a5 100644
--- a/vars/egitProductBuild.groovy
+++ b/vars/egitProductBuild.groovy

@@ -33,8 +33,9 @@
 		// upstreamVersion from cfg or auto-determined
 		p2project : 'org.eclipse.egit.repository',
 		p2zip : 'org.eclipse.egit.repository-*.zip',
-		publishRoot : 'egit'
+		publishRoot : 'egit',
 		// downstreamJob from cfg
+		gpg : true
 	]
 	productBuild(lib, tooling, config << cfg)
 }
\ No newline at end of file

diff --git a/vars/egitVerifyBuild.groovy b/vars/egitVerifyBuild.groovy
index 3f76b3b..3e1e111 100644
--- a/vars/egitVerifyBuild.groovy
+++ b/vars/egitVerifyBuild.groovy

@@ -31,7 +31,8 @@
 		upstreamRepoPath : 'jgit',
 		upstreamRepo : 'jgit',
 		// upstreamVersion from cfg or auto-determined
-		p2project : 'org.eclipse.egit.repository'
+		p2project : 'org.eclipse.egit.repository',
+		gpg : true
 	]
 	verifyBuild(lib, tooling, config << cfg)
 }
\ No newline at end of file

diff --git a/vars/productBuild.groovy b/vars/productBuild.groovy
index 483439e..ce4da56 100644
--- a/vars/productBuild.groovy
+++ b/vars/productBuild.groovy

@@ -24,7 +24,7 @@
  * @return
  */
 def call(def lib, def tooling, Map cfg = [:]) {
-	Map config = [timeOut : 60, noTests : false] << cfg
+	Map config = [timeOut : 60, noTests : false, jdk : 'temurin-jdk17-latest', gpg : false] << cfg
 	// Check parameters
 	lib.configCheck(config, [
 		timeOut : 'Job timeout in minutes, default 60',
@@ -81,6 +81,24 @@
 				commonMvnArguments.add(lib.getMvnUpstreamRepo(upstreamRepo, upstreamVersion))
 			}
 
+			stage('Initialize PGP') {
+				if (config.gpg) {
+					withCredentials([
+						file(credentialsId: 'secret-subkeys.asc', variable: 'KEYRING')
+					]) {
+						sh '''
+							gpg --batch --import "${KEYRING}"
+							for fpr in $(gpg --list-keys --with-colons \
+								| awk -F: \'/fpr:/ {print $10}\' \
+								| sort -u); do echo -e "5\ny\n" \
+								|  gpg --batch --command-fd 0 --expert --edit-key ${fpr} trust; \
+							done
+						'''
+					}
+				} else {
+					echo "No GPG setup"
+				}
+			}
 			stage('Build') {
 				def arguments = [
 					'clean',
@@ -90,7 +108,17 @@
 				if (config.noTests) {
 					arguments.add('-DskipTests=true')
 				}
-				tooling.maven(arguments)
+				if (config.gpg) {
+					withCredentials([
+						string(credentialsId: 'gpg-passphrase', variable: 'EGIT_KEYRING_PASSPHRASE')
+					]) {
+						arguments.add('-Pgpg-sign')
+
+						tooling.maven(arguments)
+					}
+				} else {
+					tooling.maven(arguments)
+				}
 			}
 			stage('Deploy') {
 				// Nexus
@@ -124,7 +152,8 @@
 						])
 			}
 		}
-		finally { // replacement for post actions of Jenkins 1.x
+		finally {
+			// replacement for post actions of Jenkins 1.x
 			stage('Results') {
 				tooling.archiveArtifacts([
 					config.p2project + '/target/repository/**'

diff --git a/vars/verifyBuild.groovy b/vars/verifyBuild.groovy
index 9b4a36b..7bbdcca 100644
--- a/vars/verifyBuild.groovy
+++ b/vars/verifyBuild.groovy

@@ -23,7 +23,7 @@
  * @return
  */
 def call(def lib, def tooling, Map cfg = [:]) {
-	Map config = [timeOut : 60, noTests : false] << cfg
+	Map config = [timeOut : 60, noTests : false, jdk : 'temurin-jdk17-latest', gpg : false] << cfg
 	// Check parameters
 	lib.configCheck(config, [
 		timeOut : 'Job timeout in minutes, default 60',
@@ -53,6 +53,24 @@
 					]
 				])
 			}
+			stage('Initialize PGP') {
+				if (config.gpg) {
+					withCredentials([
+						file(credentialsId: 'secret-subkeys.asc', variable: 'KEYRING')
+					]) {
+						sh '''
+							gpg --batch --import "${KEYRING}"
+							for fpr in $(gpg --list-keys --with-colons \
+								| awk -F: \'/fpr:/ {print $10}\' \
+								| sort -u); do echo -e "5\ny\n" \
+								|  gpg --batch --command-fd 0 --expert --edit-key ${fpr} trust; \
+							done
+						'''
+					}
+				} else {
+					echo "No GPG setup"
+				}
+			}
 			stage('Build') {
 				def profiles = config.noTests ? '' : 'static-checks,'
 				profiles += 'other-os,eclipse-sign'
@@ -73,10 +91,21 @@
 				if (config.noTests) {
 					arguments.add('-DskipTests=true')
 				}
-				tooling.maven(arguments)
+				if (config.gpg) {
+					withCredentials([
+						string(credentialsId: 'gpg-passphrase', variable: 'EGIT_KEYRING_PASSPHRASE')
+					]) {
+						arguments.add('-Pgpg-sign')
+
+						tooling.maven(arguments)
+					}
+				} else {
+					tooling.maven(arguments)
+				}
 			}
 		}
-		finally { // replacement for post actions of Jenkins 1.x
+		finally {
+			// replacement for post actions of Jenkins 1.x
 			stage('Results') {
 				tooling.archiveArtifacts([
 					config.p2project + '/target/repository/**'
commit	28d94eeedcd0bfffde5a33b4c99b02bfabdaedf5	[log] [tgz]
author	Matthias Sohn <matthias.sohn@sap.com>	Mon May 22 17:19:15 2023 +0200
committer	Thomas Wolf <twolf@apache.org>	Mon May 22 22:25:21 2023 +0200
tree	f05898fd5aaa33be6d6cd4ac08eab77fbc3fc5b6
parent	9397f5fded6560811abc1946de5785f626811232 [diff]