[MGPG-31] Add ability to store passphase under settings.xml in clear or encrypted text
git-svn-id: https://svn.apache.org/repos/asf/maven/plugins/trunk@1647942 13f79535-47bb-0310-9956-ffa450edef68
diff --git a/pom.xml b/pom.xml
index 7e256a6..6d8ee97 100644
--- a/pom.xml
+++ b/pom.xml
@@ -96,6 +96,11 @@
<artifactId>plexus-utils</artifactId>
<version>3.0.20</version>
</dependency>
+ <dependency>
+ <groupId>org.sonatype.plexus</groupId>
+ <artifactId>plexus-sec-dispatcher</artifactId>
+ <version>1.4</version>
+ </dependency>
</dependencies>
<build>
@@ -106,9 +111,7 @@
<artifactId>apache-rat-plugin</artifactId>
<configuration>
<excludes combine.children="append">
- <!--
- rat check errors seen on ASF Jenkins instance, but not on local machine...
- -->
+ <!-- rat check errors seen on ASF Jenkins instance, but not on local machine... -->
<exclude>src/test/resources/gnupg/*</exclude>
</excludes>
</configuration>
@@ -131,6 +134,7 @@
<pomInclude>*/pom.xml</pomInclude>
<pomInclude>sign-and-deploy*</pomInclude>
</pomIncludes>
+ <settingsFile>src/main/it/settings.xml</settingsFile>
<goals>
<goal>clean</goal>
<goal>install</goal>
diff --git a/src/it/settings.xml b/src/it/settings.xml
index c8f77f0..d01086b 100644
--- a/src/it/settings.xml
+++ b/src/it/settings.xml
@@ -19,7 +19,10 @@
under the License.
-->
-<settings>
+<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
+
<profiles>
<profile>
<id>it-repo</id>
@@ -52,4 +55,12 @@
</pluginRepositories>
</profile>
</profiles>
+
+ <servers>
+ <server>
+ <id>gpg.passphase</id>
+ <passphrase>TEST</passphrase>
+ </server>
+ </servers>
+
</settings>
diff --git a/src/it/sign-with-passphase-from-maven-settings/invoker.properties b/src/it/sign-with-passphase-from-maven-settings/invoker.properties
new file mode 100644
index 0000000..a17cc59
--- /dev/null
+++ b/src/it/sign-with-passphase-from-maven-settings/invoker.properties
@@ -0,0 +1,19 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements. See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership. The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+# Windows doesn't has a gpg-executable
+#invoker.os.family = !windows
diff --git a/src/it/sign-with-passphase-from-maven-settings/pom.xml b/src/it/sign-with-passphase-from-maven-settings/pom.xml
new file mode 100644
index 0000000..d914c8e
--- /dev/null
+++ b/src/it/sign-with-passphase-from-maven-settings/pom.xml
@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+ <modelVersion>4.0.0</modelVersion>
+
+ <groupId>org.apache.maven.its.gpg.nma</groupId>
+ <artifactId>test</artifactId>
+ <version>1.0</version>
+ <packaging>jar</packaging>
+
+ <description>
+ Tests the signing of a project that produces no main artifact but only attached artifacts (MGPG-20).
+ </description>
+
+ <properties>
+ <maven.test.skip>true</maven.test.skip>
+ </properties>
+
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-compiler-plugin</artifactId>
+ <version>2.0.2</version>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-gpg-plugin</artifactId>
+ <version>@project.version@</version>
+ <configuration>
+ <!-- load passphase from settings.xml -->
+ </configuration>
+ <executions>
+ <execution>
+ <id>sign-artifacts</id>
+ <goals>
+ <goal>sign</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-install-plugin</artifactId>
+ <version>2.3</version>
+ <configuration>
+ <updateReleaseInfo>true</updateReleaseInfo>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <version>2.1</version>
+ <configuration>
+ <classifier>jdk15</classifier>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-resources-plugin</artifactId>
+ <version>2.2</version>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-surefire-plugin</artifactId>
+ <version>2.3.1</version>
+ </plugin>
+ </plugins>
+ </build>
+
+</project>
diff --git a/src/it/sign-with-passphase-from-maven-settings/verify.bsh b/src/it/sign-with-passphase-from-maven-settings/verify.bsh
new file mode 100644
index 0000000..ee9dddb
--- /dev/null
+++ b/src/it/sign-with-passphase-from-maven-settings/verify.bsh
@@ -0,0 +1,42 @@
+
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+import java.io.*;
+
+File artifactDir = new File( localRepositoryPath, "org/apache/maven/its/gpg/nma/test/1.0" );
+
+String[] expectedFiles = {
+ "test-1.0.pom",
+ "test-1.0.pom.asc",
+ "test-1.0-jdk15.jar",
+ "test-1.0-jdk15.jar.asc",
+};
+
+for ( String expectedFile : expectedFiles )
+{
+ File file = new File( artifactDir, expectedFile );
+
+ System.out.println( "Checking for existence of " + file );
+
+ if ( !file.isFile() )
+ {
+ throw new Exception( "Missing file " + file );
+ }
+}
diff --git a/src/main/java/org/apache/maven/plugin/gpg/AbstractGpgMojo.java b/src/main/java/org/apache/maven/plugin/gpg/AbstractGpgMojo.java
index 35e3f84..c8dbfec 100644
--- a/src/main/java/org/apache/maven/plugin/gpg/AbstractGpgMojo.java
+++ b/src/main/java/org/apache/maven/plugin/gpg/AbstractGpgMojo.java
@@ -26,8 +26,14 @@
import org.apache.maven.plugin.AbstractMojo;
import org.apache.maven.plugin.MojoExecutionException;
import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.Component;
import org.apache.maven.plugins.annotations.Parameter;
import org.apache.maven.project.MavenProject;
+import org.apache.maven.settings.Server;
+import org.apache.maven.settings.Settings;
+import org.codehaus.plexus.util.StringUtils;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
/**
* @author Benjamin Bentmann
@@ -46,12 +52,19 @@
private File homedir;
/**
- * The passphrase to use when signing.
- */
+ * The passphrase to use when signing. If not given, look up the value under Maven
+ * settings using server id at 'passphaseServerKey' configuration.
+ **/
@Parameter( property = "gpg.passphrase" )
private String passphrase;
/**
+ * Server id to lookup the passphase under Maven settings.
+ */
+ @Parameter( property = "gpg.passphaseServerKey", defaultValue = "gpg.passphase" )
+ private String passphaseServerKey;
+
+ /**
* The "name" of the key to sign with. Passed to gpg as <code>--local-user</code>.
*/
@Parameter( property = "gpg.keyname" )
@@ -59,8 +72,8 @@
/**
* Passes <code>--use-agent</code> or <code>--no-use-agent</code> to gpg. If using an agent, the passphrase is
- * optional as the agent will provide it.
- * For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't ask for a passphrase anymore.
+ * optional as the agent will provide it. For gpg2, specify true as --no-use-agent was removed in gpg2 and doesn't
+ * ask for a passphrase anymore.
*/
@Parameter( property = "gpg.useagent", defaultValue = "true" )
private boolean useAgent;
@@ -122,19 +135,35 @@
/**
* Sets the arguments to be passed to gpg. Example:
- *
+ *
* <pre>
* <gpgArguments>
* <arg>--no-random-seed-file</arg>
* <arg>--no-permission-warning</arg>
* </gpgArguments>
* </pre>
- *
+ *
* @since 1.5
*/
@Parameter
private List<String> gpgArguments;
+ /**
+ * Current user system settings for use in Maven.
+ *
+ * @since 1.6
+ */
+ @Parameter( defaultValue = "${settings}", readonly = true )
+ private Settings settings;
+
+ /**
+ * Maven Security Dispatcher
+ *
+ * @since 1.6
+ */
+ @Component( hint = "mng-4384" )
+ private SecDispatcher securityDispatcher;
+
AbstractGpgSigner newSigner( MavenProject project )
throws MojoExecutionException, MojoFailureException
{
@@ -151,6 +180,8 @@
signer.setLockMode( lockMode );
signer.setArgs( gpgArguments );
+ loadGpgPassphase();
+
signer.setPassPhrase( passphrase );
if ( null == passphrase && !useAgent )
{
@@ -171,4 +202,32 @@
return signer;
}
+ /**
+ * Load and decrypt gpg passphase from maven settings if not given from plugin configuration
+ *
+ * @throws MojoFailureException
+ */
+ private void loadGpgPassphase()
+ throws MojoFailureException
+ {
+ if ( StringUtils.isEmpty( this.passphrase ) )
+ {
+ Server server = this.settings.getServer( passphaseServerKey );
+
+ if ( server != null )
+ {
+ if ( server.getPassphrase() != null )
+ {
+ try
+ {
+ this.passphrase = securityDispatcher.decrypt( server.getPassphrase() );
+ }
+ catch ( SecDispatcherException e )
+ {
+ throw new MojoFailureException( "Unable to decrypt gpg password", e );
+ }
+ }
+ }
+ }
+ }
}
diff --git a/src/main/resources/META-INF/plexus/components.xml b/src/main/resources/META-INF/plexus/components.xml
new file mode 100644
index 0000000..de24d82
--- /dev/null
+++ b/src/main/resources/META-INF/plexus/components.xml
@@ -0,0 +1,43 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+
+<component-set>
+ <components>
+ <component>
+ <role>org.sonatype.plexus.components.sec.dispatcher.SecDispatcher</role>
+ <role-hint>mng-4384</role-hint>
+ <implementation>org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher</implementation>
+ <requirements>
+ <requirement>
+ <role>org.sonatype.plexus.components.cipher.PlexusCipher</role>
+ <role-hint>mng-4384</role-hint>
+ <field-name>_cipher</field-name>
+ </requirement>
+ </requirements>
+ <configuration>
+ <_configuration-file>~/.m2/settings-security.xml</_configuration-file>
+ </configuration>
+ </component>
+ <component>
+ <role>org.sonatype.plexus.components.cipher.PlexusCipher</role>
+ <role-hint>mng-4384</role-hint>
+ <implementation>org.sonatype.plexus.components.cipher.DefaultPlexusCipher</implementation>
+ </component>
+ </components>
+</component-set>
diff --git a/src/site/apt/usage.apt.vm b/src/site/apt/usage.apt.vm
index 7826aba..65efd7a 100644
--- a/src/site/apt/usage.apt.vm
+++ b/src/site/apt/usage.apt.vm
@@ -77,3 +77,22 @@
This accounts for the fact, that the Release Plugin forks Maven and system properties of the current Maven session are
unfortunately not automatically propagated to the forked Maven session (see also {{{http://jira.codehaus.org/browse/MGPG-9}MGPG-9}}).
+
+
+* Configure passphase under settings.xml
+
+ Instead of specifying the passphase at command line, you can place it under your local settings.xml
+ either in clear or {{{http://maven.apache.org/guides/mini/guide-encryption.html}encrypted}} text.
+
++----------+
+<settings>
+ [...]
+ <servers>
+ [...]
+ <server>
+ <id>gpg.passphase</id>
+ <passphase>clear or encrypted text</passphase>
+ </server>
+ </servers>
+</settings>
++----------+
\ No newline at end of file
