SLING-8684 - Add support for validating releases from a staging repository
* check signatures and SHA-1
diff --git a/pom.xml b/pom.xml
index 4a00263..5fc6e33 100644
--- a/pom.xml
+++ b/pom.xml
@@ -251,6 +251,18 @@
<scope>provided</scope>
</dependency>
<dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcpg-jdk15on</artifactId>
+ <version>1.62</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-jdk15on</artifactId>
+ <version>1.62</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
</dependency>
diff --git a/src/main/features/app.json b/src/main/features/app.json
index aee3a84..805b29c 100644
--- a/src/main/features/app.json
+++ b/src/main/features/app.json
@@ -66,6 +66,12 @@
"start-level": "3"
},
{
+ "id": "org.bouncycastle:bcpg-jdk15on:1.62"
+ },
+ {
+ "id": "org.bouncycastle:bcprov-jdk15on:1.62"
+ },
+ {
"id": "javax.mail:mail:1.5.0-b01"
},
{
diff --git a/src/main/java/org/apache/sling/cli/impl/nexus/Artifact.java b/src/main/java/org/apache/sling/cli/impl/nexus/Artifact.java
new file mode 100644
index 0000000..adabbc9
--- /dev/null
+++ b/src/main/java/org/apache/sling/cli/impl/nexus/Artifact.java
@@ -0,0 +1,102 @@
+/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+package org.apache.sling.cli.impl.nexus;
+
+import java.util.Objects;
+
+/**
+ * An {@code Artifact} describes a Maven artifact stored in a Maven repository (remote or local).
+ */
+public class Artifact {
+
+ private final String groupId;
+ private final String artifactId;
+ private final String version;
+ private final String classifier;
+ private final String type;
+ private final String repositoryRelativePath;
+ private final String repositoryRelativeSignaturePath;
+ private final String repositoryRelativeSha1SumPath;
+
+ public Artifact(String groupId, String artifactId, String version, String classifier, String type) {
+ this.groupId = groupId;
+ this.artifactId = artifactId;
+ this.version = version;
+ this.classifier = classifier;
+ this.type = type;
+ String base = groupId.replaceAll("\\.", "/") + "/" + artifactId + "/" + version + "/" + artifactId + "-" + version;
+ StringBuilder stringBuilder = new StringBuilder(base);
+ if (this.classifier != null) {
+ stringBuilder.append("-").append(this.classifier);
+ }
+ stringBuilder.append(".").append(this.type);
+ repositoryRelativePath = stringBuilder.toString();
+ repositoryRelativeSignaturePath = repositoryRelativePath + ".asc";
+ repositoryRelativeSha1SumPath = repositoryRelativePath + ".sha1";
+ }
+
+ public String getRepositoryRelativePath() {
+ return repositoryRelativePath;
+ }
+
+ public String getRepositoryRelativeSignaturePath() {
+ return repositoryRelativeSignaturePath;
+ }
+
+ public String getRepositoryRelativeSha1SumPath() {
+ return repositoryRelativeSha1SumPath;
+ }
+
+ public String getGroupId() {
+ return groupId;
+ }
+
+ public String getArtifactId() {
+ return artifactId;
+ }
+
+ public String getVersion() {
+ return version;
+ }
+
+ public String getClassifier() {
+ return classifier;
+ }
+
+ public String getType() {
+ return type;
+ }
+
+ @Override
+ public int hashCode() {
+ return repositoryRelativePath.hashCode();
+ }
+
+ @Override
+ public boolean equals(Object obj) {
+ if (this == obj) {
+ return true;
+ }
+ if (obj instanceof Artifact) {
+ Artifact other = (Artifact) obj;
+ return Objects.equals(repositoryRelativePath, other.repositoryRelativePath);
+ }
+ return false;
+ }
+}
diff --git a/src/main/java/org/apache/sling/cli/impl/nexus/LocalRepository.java b/src/main/java/org/apache/sling/cli/impl/nexus/LocalRepository.java
new file mode 100644
index 0000000..5f2b7e0
--- /dev/null
+++ b/src/main/java/org/apache/sling/cli/impl/nexus/LocalRepository.java
@@ -0,0 +1,46 @@
+/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+package org.apache.sling.cli.impl.nexus;
+
+import java.nio.file.Path;
+import java.util.Collections;
+import java.util.Set;
+
+public class LocalRepository extends StagingRepository {
+
+ private final Set<Artifact> artifacts;
+ private final Path rootFolder;
+
+ LocalRepository(StagingRepository stagingRepository, Set<Artifact> artifacts, Path rootFolder) {
+ description = stagingRepository.description;
+ repositoryURI = stagingRepository.repositoryURI;
+ repositoryId = stagingRepository.repositoryId;
+ type = stagingRepository.type;
+ this.artifacts = artifacts;
+ this.rootFolder = rootFolder;
+ }
+
+ public Set<Artifact> getArtifacts() {
+ return Collections.unmodifiableSet(artifacts);
+ }
+
+ public Path getRootFolder() {
+ return rootFolder;
+ }
+}
diff --git a/src/main/java/org/apache/sling/cli/impl/nexus/RepositoryDownloader.java b/src/main/java/org/apache/sling/cli/impl/nexus/RepositoryDownloader.java
new file mode 100644
index 0000000..f870254
--- /dev/null
+++ b/src/main/java/org/apache/sling/cli/impl/nexus/RepositoryDownloader.java
@@ -0,0 +1,145 @@
+/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+package org.apache.sling.cli.impl.nexus;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.locks.ReentrantReadWriteLock;
+
+import org.apache.commons.io.IOUtils;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.client.methods.HttpGet;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.sling.cli.impl.http.HttpClientFactory;
+import org.jetbrains.annotations.NotNull;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import com.google.gson.JsonArray;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
+
+@Component(
+ service = RepositoryDownloader.class
+)
+public class RepositoryDownloader {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(RepositoryDownloader.class);
+
+ private Map<String, LocalRepository> repositories = new HashMap<>();
+ private ReentrantReadWriteLock readWriteLock = new ReentrantReadWriteLock();
+
+ @Reference
+ private HttpClientFactory httpClientFactory;
+
+ @NotNull
+ public LocalRepository download(@NotNull StagingRepository repository) throws IOException {
+ readWriteLock.readLock().lock();
+ LocalRepository localRepository = repositories.get(repository.getRepositoryId());
+ if (localRepository == null) {
+ readWriteLock.readLock().unlock();
+ readWriteLock.writeLock().lock();
+ try {
+ if (!repositories.containsKey(repository.getRepositoryId())) {
+ try (CloseableHttpClient client = httpClientFactory.newClient()) {
+ HttpGet get =
+ new HttpGet("https://repository.apache.org/service/local/lucene/search?g=org.apache.sling&repositoryId=" +
+ repository.getRepositoryId());
+ get.addHeader("Accept", "application/json");
+ try (CloseableHttpResponse response = client.execute(get)) {
+ try (InputStream content = response.getEntity().getContent();
+ InputStreamReader reader = new InputStreamReader(content)) {
+ JsonParser parser = new JsonParser();
+ JsonObject json = parser.parse(reader).getAsJsonObject();
+ JsonArray data = json.get("data").getAsJsonArray();
+ Set<Artifact> artifacts = new HashSet<>();
+ for (JsonElement dataElement : data) {
+ JsonObject dataElementJson = dataElement.getAsJsonObject();
+ String groupId = dataElementJson.get("groupId").getAsString();
+ String artifactId = dataElementJson.get("artifactId").getAsString();
+ String version = dataElementJson.get("version").getAsString();
+ JsonArray artifactLinksArray =
+ dataElementJson.get("artifactHits").getAsJsonArray().get(0).getAsJsonObject().get("artifactLinks")
+ .getAsJsonArray();
+ for (JsonElement artifactLinkElement : artifactLinksArray) {
+ JsonObject artifactLinkJson = artifactLinkElement.getAsJsonObject();
+ String type = artifactLinkJson.get("extension").getAsString();
+ String classifier = null;
+ if (artifactLinkJson.has("classifier")) {
+ classifier = artifactLinkJson.get("classifier").getAsString();
+ }
+ artifacts.add(new Artifact(groupId,artifactId, version, classifier, type));
+ }
+ }
+ Path rootFolder = Files.createTempDirectory(repository.getRepositoryId() + "_");
+ for (Artifact artifact : artifacts) {
+ String fileRelativePath = artifact.getRepositoryRelativePath();
+ String relativeFolderPath = fileRelativePath.substring(0, fileRelativePath.lastIndexOf('/'));
+ Path artifactFolderPath = Files.createDirectories(rootFolder.resolve(relativeFolderPath));
+ downloadArtifactFile(repository, client, artifactFolderPath, fileRelativePath);
+ downloadArtifactFile(repository, client, artifactFolderPath,
+ artifact.getRepositoryRelativeSignaturePath());
+ downloadArtifactFile(repository, client, artifactFolderPath,
+ artifact.getRepositoryRelativeSha1SumPath());
+ }
+ localRepository = new LocalRepository(repository, artifacts, rootFolder);
+ repositories.put(localRepository.getRepositoryId(), localRepository);
+ }
+ }
+ }
+ }
+ readWriteLock.readLock().lock();
+ } finally {
+ readWriteLock.writeLock().unlock();
+ }
+ }
+ try {
+ if (localRepository == null) {
+ throw new IOException("Failed to download repository artifacts.");
+ }
+ return localRepository;
+ } finally {
+ readWriteLock.readLock().unlock();
+ }
+ }
+
+ private void downloadArtifactFile(@NotNull StagingRepository repository, CloseableHttpClient client, Path artifactFolderPath,
+ String relativeFilePath) throws IOException {
+ String fileName = relativeFilePath.substring(relativeFilePath.lastIndexOf('/') + 1);
+ Path filePath = Files.createFile(artifactFolderPath.resolve(fileName));
+ HttpGet get = new HttpGet(repository.getRepositoryURI() + "/" + relativeFilePath);
+ LOGGER.info("Downloading " + get.getURI().toString());
+ try (CloseableHttpResponse response = client.execute(get)) {
+ try (InputStream content = response.getEntity().getContent()) {
+ IOUtils.copyLarge(content, Files.newOutputStream(filePath));
+ }
+ }
+ }
+
+}
diff --git a/src/main/java/org/apache/sling/cli/impl/nexus/StagingRepository.java b/src/main/java/org/apache/sling/cli/impl/nexus/StagingRepository.java
index 167cebb..512329c 100644
--- a/src/main/java/org/apache/sling/cli/impl/nexus/StagingRepository.java
+++ b/src/main/java/org/apache/sling/cli/impl/nexus/StagingRepository.java
@@ -26,10 +26,10 @@
open, closed;
}
- private String description;
- private String repositoryId;
- private String repositoryURI;
- private Status type;
+ protected String description;
+ protected String repositoryId;
+ protected String repositoryURI;
+ protected Status type;
public String getDescription() {
return description;
diff --git a/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignaturesValidator.java b/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignaturesValidator.java
new file mode 100644
index 0000000..22df3c9
--- /dev/null
+++ b/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignaturesValidator.java
@@ -0,0 +1,107 @@
+/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+package org.apache.sling.cli.impl.pgp;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+
+import org.bouncycastle.bcpg.ArmoredInputStream;
+import org.bouncycastle.openpgp.PGPException;
+import org.bouncycastle.openpgp.PGPObjectFactory;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.openpgp.PGPPublicKeyRing;
+import org.bouncycastle.openpgp.PGPPublicKeyRingCollection;
+import org.bouncycastle.openpgp.PGPSignature;
+import org.bouncycastle.openpgp.PGPSignatureList;
+import org.bouncycastle.openpgp.PGPUtil;
+import org.bouncycastle.openpgp.operator.bc.BcKeyFingerprintCalculator;
+import org.bouncycastle.openpgp.operator.bc.BcPGPContentVerifierBuilderProvider;
+import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator;
+import org.osgi.service.component.annotations.Activate;
+import org.osgi.service.component.annotations.Component;
+
+@Component(service = PGPSignaturesValidator.class)
+public class PGPSignaturesValidator {
+
+ private static final String KEYS_FILE = "/tmp/sling-keys.asc";
+ private PGPPublicKeyRingCollection keyRing;
+
+ public SignatureVerificationResult verify(Path artifact, Path signature) {
+ try (
+ InputStream fileStream = Files.newInputStream(artifact) ;
+ InputStream signatureStream = Files.newInputStream(signature)
+ ) {
+ InputStream sigInputStream = PGPUtil.getDecoderStream(signatureStream);
+ PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(sigInputStream, new BcKeyFingerprintCalculator());
+ PGPSignatureList sigList = (PGPSignatureList) pgpObjectFactory.nextObject();
+ PGPSignature pgpSignature = sigList.get(0);
+ PGPPublicKey key = keyRing.getPublicKey(pgpSignature.getKeyID());
+ if (key == null) {
+ throw new IllegalStateException(String.format("Signature %s was not generated with any of the known keys.",
+ signature.getFileName()));
+ }
+ pgpSignature.init(new BcPGPContentVerifierBuilderProvider(), key);
+ byte[] buff = new byte[1024];
+ int read;
+ while ((read = fileStream.read(buff)) != -1) {
+ pgpSignature.update(buff, 0, read);
+ }
+ fileStream.close();
+ return new SignatureVerificationResult(pgpSignature.verify(), key);
+ } catch (PGPException | IOException e) {
+ throw new IllegalStateException(String.format("Unable to verify signature %s.", signature.getFileName()), e);
+ }
+ }
+
+ @Activate
+ private void readKeyRing() {
+ Path keysFile = Paths.get(KEYS_FILE);
+ if (Files.notExists(keysFile)) {
+ throw new IllegalStateException(String.format("Sling keys file does not exist at %s.", KEYS_FILE));
+ }
+ try (InputStream in = Files.newInputStream(keysFile)) {
+ InputStream bouncyIn = org.bouncycastle.openpgp.PGPUtil.getDecoderStream(in);
+ if (bouncyIn instanceof ArmoredInputStream) {
+ ArmoredInputStream as = (ArmoredInputStream) bouncyIn;
+ List<PGPPublicKeyRing> keyRings = new ArrayList<>();
+ while (!as.isEndOfStream()) {
+ PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection(as, new JcaKeyFingerprintCalculator());
+ Iterator<PGPPublicKeyRing> readKeyRings = collection.getKeyRings();
+ while (readKeyRings.hasNext()) {
+ PGPPublicKeyRing keyRing = readKeyRings.next();
+ keyRings.add(keyRing);
+ }
+ }
+ if (!keyRings.isEmpty()) {
+ keyRing = new PGPPublicKeyRingCollection(keyRings);
+ } else {
+ throw new IllegalStateException(String.format("Sling keys file from %s does not contain any keys.", KEYS_FILE));
+ }
+ }
+ } catch (IOException | PGPException e) {
+ throw new IllegalStateException(String.format("Cannot read Sling keys file at %s.", KEYS_FILE), e);
+ }
+ }
+}
diff --git a/src/main/java/org/apache/sling/cli/impl/pgp/SHA1HashResult.java b/src/main/java/org/apache/sling/cli/impl/pgp/SHA1HashResult.java
new file mode 100644
index 0000000..fb7dcab
--- /dev/null
+++ b/src/main/java/org/apache/sling/cli/impl/pgp/SHA1HashResult.java
@@ -0,0 +1,44 @@
+/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+package org.apache.sling.cli.impl.pgp;
+
+public class SHA1HashResult {
+
+ private final boolean valid;
+ private final String expectedHash;
+ private final String actualHash;
+
+ public SHA1HashResult(boolean valid, String expectedHash, String actualHash) {
+ this.valid = valid;
+ this.expectedHash = expectedHash;
+ this.actualHash = actualHash;
+ }
+
+ public boolean isValid() {
+ return valid;
+ }
+
+ public String getExpectedHash() {
+ return expectedHash;
+ }
+
+ public String getActualHash() {
+ return actualHash;
+ }
+}
diff --git a/src/main/java/org/apache/sling/cli/impl/pgp/SHA1HashValidator.java b/src/main/java/org/apache/sling/cli/impl/pgp/SHA1HashValidator.java
new file mode 100644
index 0000000..5761429
--- /dev/null
+++ b/src/main/java/org/apache/sling/cli/impl/pgp/SHA1HashValidator.java
@@ -0,0 +1,53 @@
+/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+package org.apache.sling.cli.impl.pgp;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.MessageDigest;
+import java.security.NoSuchAlgorithmException;
+
+import org.bouncycastle.util.encoders.Hex;
+import org.osgi.service.component.annotations.Component;
+
+@Component(service = SHA1HashValidator.class)
+public class SHA1HashValidator {
+
+ public SHA1HashResult validate(Path artifact, Path hash) {
+ try {
+ MessageDigest digest = MessageDigest.getInstance("SHA-1");
+ InputStream artifactIS = Files.newInputStream(artifact);
+ byte[] buff = new byte[4096];
+ int read;
+ while ((read = artifactIS.read(buff)) != -1) {
+ digest.update(buff, 0, read);
+ }
+ byte[] hashed = digest.digest();
+ String actualHash = Hex.toHexString(hashed);
+ String expectedHash = Files.readString(hash, StandardCharsets.US_ASCII);
+ return new SHA1HashResult(actualHash.equalsIgnoreCase(expectedHash), expectedHash, actualHash);
+ } catch (NoSuchAlgorithmException | IOException e) {
+ throw new IllegalStateException("Cannot validate SHA-1 hash.", e);
+ }
+ }
+
+}
diff --git a/src/main/java/org/apache/sling/cli/impl/pgp/SignatureVerificationResult.java b/src/main/java/org/apache/sling/cli/impl/pgp/SignatureVerificationResult.java
new file mode 100644
index 0000000..d724596
--- /dev/null
+++ b/src/main/java/org/apache/sling/cli/impl/pgp/SignatureVerificationResult.java
@@ -0,0 +1,42 @@
+/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+package org.apache.sling.cli.impl.pgp;
+
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.jetbrains.annotations.NotNull;
+
+public class SignatureVerificationResult {
+
+ private boolean valid;
+ private PGPPublicKey key;
+
+ public SignatureVerificationResult(boolean valid, @NotNull PGPPublicKey key) {
+ this.key = key;
+ this.valid = valid;
+ }
+
+ public boolean isValid() {
+ return valid;
+ }
+
+ @NotNull
+ public PGPPublicKey getKey() {
+ return key;
+ }
+}
diff --git a/src/main/java/org/apache/sling/cli/impl/release/VerifyReleasesCommand.java b/src/main/java/org/apache/sling/cli/impl/release/VerifyReleasesCommand.java
new file mode 100644
index 0000000..18226aa
--- /dev/null
+++ b/src/main/java/org/apache/sling/cli/impl/release/VerifyReleasesCommand.java
@@ -0,0 +1,108 @@
+/*~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ ~ Licensed to the Apache Software Foundation (ASF) under one
+ ~ or more contributor license agreements. See the NOTICE file
+ ~ distributed with this work for additional information
+ ~ regarding copyright ownership. The ASF licenses this file
+ ~ to you under the Apache License, Version 2.0 (the
+ ~ "License"); you may not use this file except in compliance
+ ~ with the License. You may obtain a copy of the License at
+ ~
+ ~ http://www.apache.org/licenses/LICENSE-2.0
+ ~
+ ~ Unless required by applicable law or agreed to in writing,
+ ~ software distributed under the License is distributed on an
+ ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ ~ KIND, either express or implied. See the License for the
+ ~ specific language governing permissions and limitations
+ ~ under the License.
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/
+package org.apache.sling.cli.impl.release;
+
+import java.io.IOException;
+import java.nio.file.Path;
+import java.util.Iterator;
+import java.util.Locale;
+
+import org.apache.sling.cli.impl.Command;
+import org.apache.sling.cli.impl.nexus.Artifact;
+import org.apache.sling.cli.impl.nexus.LocalRepository;
+import org.apache.sling.cli.impl.nexus.RepositoryDownloader;
+import org.apache.sling.cli.impl.nexus.StagingRepositoryFinder;
+import org.apache.sling.cli.impl.pgp.PGPSignaturesValidator;
+import org.apache.sling.cli.impl.pgp.SHA1HashResult;
+import org.apache.sling.cli.impl.pgp.SHA1HashValidator;
+import org.apache.sling.cli.impl.pgp.SignatureVerificationResult;
+import org.bouncycastle.openpgp.PGPPublicKey;
+import org.bouncycastle.util.encoders.Hex;
+import org.osgi.service.component.annotations.Component;
+import org.osgi.service.component.annotations.Reference;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import picocli.CommandLine;
+
+@Component(service = Command.class,
+ property = {
+ Command.PROPERTY_NAME_COMMAND_GROUP + "=" + VerifyReleasesCommand.GROUP,
+ Command.PROPERTY_NAME_COMMAND_NAME + "=" + VerifyReleasesCommand.NAME
+ })
+@CommandLine.Command(name = VerifyReleasesCommand.NAME,
+ description = "Downloads the staging repository and verifies the artifacts' signatures and hashes.",
+ subcommands = CommandLine.HelpCommand.class)
+public class VerifyReleasesCommand implements Command {
+
+ private static final Logger LOGGER = LoggerFactory.getLogger(VerifyReleasesCommand.class);
+
+ static final String GROUP = "release";
+ static final String NAME = "verify";
+
+ @Reference
+ private StagingRepositoryFinder stagingRepositoryFinder;
+
+ @Reference
+ private RepositoryDownloader repositoryDownloader;
+
+ @Reference
+ private PGPSignaturesValidator pgpSignaturesValidator;
+
+ @Reference
+ private SHA1HashValidator sha1HashValidator;
+
+ @CommandLine.Option(names = {"-r", "--repository"},
+ description = "Nexus repository id",
+ required = true)
+ private Integer repositoryId;
+
+ @CommandLine.Mixin
+ private ReusableCLIOptions reusableCLIOptions;
+
+ @Override
+ public void run() {
+ try {
+ LocalRepository repository = repositoryDownloader.download(stagingRepositoryFinder.find(repositoryId));
+ Path repositoryRootPath = repository.getRootFolder();
+ for (Artifact artifact : repository.getArtifacts()) {
+ Path artifactFilePath = repositoryRootPath.resolve(artifact.getRepositoryRelativePath());
+ Path artifactSignaturePath = repositoryRootPath.resolve(artifact.getRepositoryRelativeSignaturePath());
+ SignatureVerificationResult signatureVerificationResult = pgpSignaturesValidator.verify(artifactFilePath,
+ artifactSignaturePath);
+ SHA1HashResult sha1HashResult = sha1HashValidator.validate(artifactFilePath,
+ repositoryRootPath.resolve(artifact.getRepositoryRelativeSha1SumPath()));
+ LOGGER.info("\n" + artifactFilePath.getFileName().toString());
+ PGPPublicKey key = signatureVerificationResult.getKey();
+ LOGGER.info("GPG: {}", signatureVerificationResult.isValid() ? String.format("signed by %s with key (id=0x%X; " +
+ "fingerprint=%s)", getKeyUserId(key), key.getKeyID(),
+ Hex.toHexString(key.getFingerprint()).toUpperCase(Locale.US)) : "INVALID");
+ LOGGER.info("SHA-1: {}", sha1HashResult.isValid() ? String.format("VALID (%s)", sha1HashResult.getActualHash()) :
+ String.format("INVALID (expected %s, got %s)", sha1HashResult.getExpectedHash(), sha1HashResult.getActualHash()));
+ }
+ } catch (IOException e) {
+ LOGGER.error("Command execution failed.", e);
+ }
+ }
+
+ private String getKeyUserId(PGPPublicKey key) {
+ Iterator<String> iterator = key.getUserIDs();
+ return iterator.hasNext() ? iterator.next() : "unknown";
+ }
+}