Add pgp signing for bundles used directly from Maven Central
See [1] and [2] for the GPG setup and tycho-gpg-plugin configuration.
We do not pass the keyring passphrase on the maven command-line to
ensure it is never written to any build log. Instead, configure the
tycho-gpg-plugin to use
<configuration>
<passphrase>${env.EGIT_KEYRING_PASSPHRASE}</passphrase>
...
</configuration>
Also use temurin-jdk17-latest to run the build; it's required by Tycho
4.0.x, which in turn is needed to force signing of the BouncyCastle
bundles.
[1] https://docs.google.com/document/d/1MnDBvOUwKvKacB-QKnH_PzK88dUlHkjs-D-DWEKmvkY
[2] https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/3078
Change-Id: Iabd45f8e6fb03cb61d86650058a6ac08645500d7
diff --git a/vars/egitProductBuild.groovy b/vars/egitProductBuild.groovy
index 5b6146d..4b028a5 100644
--- a/vars/egitProductBuild.groovy
+++ b/vars/egitProductBuild.groovy
@@ -33,8 +33,9 @@
// upstreamVersion from cfg or auto-determined
p2project : 'org.eclipse.egit.repository',
p2zip : 'org.eclipse.egit.repository-*.zip',
- publishRoot : 'egit'
+ publishRoot : 'egit',
// downstreamJob from cfg
+ gpg : true
]
productBuild(lib, tooling, config << cfg)
}
\ No newline at end of file
diff --git a/vars/egitVerifyBuild.groovy b/vars/egitVerifyBuild.groovy
index 3f76b3b..3e1e111 100644
--- a/vars/egitVerifyBuild.groovy
+++ b/vars/egitVerifyBuild.groovy
@@ -31,7 +31,8 @@
upstreamRepoPath : 'jgit',
upstreamRepo : 'jgit',
// upstreamVersion from cfg or auto-determined
- p2project : 'org.eclipse.egit.repository'
+ p2project : 'org.eclipse.egit.repository',
+ gpg : true
]
verifyBuild(lib, tooling, config << cfg)
}
\ No newline at end of file
diff --git a/vars/productBuild.groovy b/vars/productBuild.groovy
index 483439e..ce4da56 100644
--- a/vars/productBuild.groovy
+++ b/vars/productBuild.groovy
@@ -24,7 +24,7 @@
* @return
*/
def call(def lib, def tooling, Map cfg = [:]) {
- Map config = [timeOut : 60, noTests : false] << cfg
+ Map config = [timeOut : 60, noTests : false, jdk : 'temurin-jdk17-latest', gpg : false] << cfg
// Check parameters
lib.configCheck(config, [
timeOut : 'Job timeout in minutes, default 60',
@@ -81,6 +81,24 @@
commonMvnArguments.add(lib.getMvnUpstreamRepo(upstreamRepo, upstreamVersion))
}
+ stage('Initialize PGP') {
+ if (config.gpg) {
+ withCredentials([
+ file(credentialsId: 'secret-subkeys.asc', variable: 'KEYRING')
+ ]) {
+ sh '''
+ gpg --batch --import "${KEYRING}"
+ for fpr in $(gpg --list-keys --with-colons \
+ | awk -F: \'/fpr:/ {print $10}\' \
+ | sort -u); do echo -e "5\ny\n" \
+ | gpg --batch --command-fd 0 --expert --edit-key ${fpr} trust; \
+ done
+ '''
+ }
+ } else {
+ echo "No GPG setup"
+ }
+ }
stage('Build') {
def arguments = [
'clean',
@@ -90,7 +108,17 @@
if (config.noTests) {
arguments.add('-DskipTests=true')
}
- tooling.maven(arguments)
+ if (config.gpg) {
+ withCredentials([
+ string(credentialsId: 'gpg-passphrase', variable: 'EGIT_KEYRING_PASSPHRASE')
+ ]) {
+ arguments.add('-Pgpg-sign')
+
+ tooling.maven(arguments)
+ }
+ } else {
+ tooling.maven(arguments)
+ }
}
stage('Deploy') {
// Nexus
@@ -124,7 +152,8 @@
])
}
}
- finally { // replacement for post actions of Jenkins 1.x
+ finally {
+ // replacement for post actions of Jenkins 1.x
stage('Results') {
tooling.archiveArtifacts([
config.p2project + '/target/repository/**'
diff --git a/vars/verifyBuild.groovy b/vars/verifyBuild.groovy
index 9b4a36b..7bbdcca 100644
--- a/vars/verifyBuild.groovy
+++ b/vars/verifyBuild.groovy
@@ -23,7 +23,7 @@
* @return
*/
def call(def lib, def tooling, Map cfg = [:]) {
- Map config = [timeOut : 60, noTests : false] << cfg
+ Map config = [timeOut : 60, noTests : false, jdk : 'temurin-jdk17-latest', gpg : false] << cfg
// Check parameters
lib.configCheck(config, [
timeOut : 'Job timeout in minutes, default 60',
@@ -53,6 +53,24 @@
]
])
}
+ stage('Initialize PGP') {
+ if (config.gpg) {
+ withCredentials([
+ file(credentialsId: 'secret-subkeys.asc', variable: 'KEYRING')
+ ]) {
+ sh '''
+ gpg --batch --import "${KEYRING}"
+ for fpr in $(gpg --list-keys --with-colons \
+ | awk -F: \'/fpr:/ {print $10}\' \
+ | sort -u); do echo -e "5\ny\n" \
+ | gpg --batch --command-fd 0 --expert --edit-key ${fpr} trust; \
+ done
+ '''
+ }
+ } else {
+ echo "No GPG setup"
+ }
+ }
stage('Build') {
def profiles = config.noTests ? '' : 'static-checks,'
profiles += 'other-os,eclipse-sign'
@@ -73,10 +91,21 @@
if (config.noTests) {
arguments.add('-DskipTests=true')
}
- tooling.maven(arguments)
+ if (config.gpg) {
+ withCredentials([
+ string(credentialsId: 'gpg-passphrase', variable: 'EGIT_KEYRING_PASSPHRASE')
+ ]) {
+ arguments.add('-Pgpg-sign')
+
+ tooling.maven(arguments)
+ }
+ } else {
+ tooling.maven(arguments)
+ }
}
}
- finally { // replacement for post actions of Jenkins 1.x
+ finally {
+ // replacement for post actions of Jenkins 1.x
stage('Results') {
tooling.archiveArtifacts([
config.p2project + '/target/repository/**'