[Build] PGP-sign third-party dependencies in M2E repo

eclipse-m2e · Oct 12, 2022 · 88452df · 88452df
1 parent bb9ce69
commit 88452df
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 2 deletions.
diff --git a/Jenkinsfile b/Jenkinsfile
@@ -18,14 +18,28 @@ pipeline {
 				sh 'git submodule update --init --recursive --remote'
 			}
 		}
+		stage('initialize PGP') {
+			steps {
+				withCredentials([file(credentialsId: 'secret-subkeys.asc', variable: 'KEYRING')]) {
+					sh 'gpg --batch --import "${KEYRING}"'
+					sh '''
+						for fpr in $(gpg --list-keys --with-colons | awk -F: \'/fpr:/ {print $10}\' | sort -u)
+						do
+							echo -e "5\ny\n" | gpg --batch --command-fd 0 --expert --edit-key ${fpr} trust 
+						done
+					'''
+				}
+			}
+		}
 		stage('Build') {
 			steps {
 				sh 'mvn clean generate-sources -f m2e-maven-runtime/pom.xml -B -V -Dtycho.mode=maven -Pgenerate-osgi-metadata'
+				withCredentials([string(credentialsId: 'gpg-passphrase', variable: 'KEYRING_PASSPHRASE')]) {
 				wrap([$class: 'Xvnc', useXauthority: true]) {
 					sh 'mvn clean verify -B -V \
 						-Dmaven.test.error.ignore=true -Dmaven.test.failure.ignore=true \
-						-Peclipse-sign,its'
-				}
+						-Peclipse-sign,its -Dgpg.passphrase="${KEYRING_PASSPHRASE}" -Dgpg.keyname="011C526F29B2CE79"'
+				}}
 			}
 			post {
 				always {

diff --git a/org.eclipse.m2e.repository/pom.xml b/org.eclipse.m2e.repository/pom.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+	Copyright (c) 2008, 2022 Sonatype, Inc. and others
+	All rights reserved. This program and the accompanying materials
+	are made available under the terms of the Eclipse Public License 2.0
+	which accompanies this distribution, and is available at
+	https://www.eclipse.org/legal/epl-2.0/
+
+	SPDX-License-Identifier: EPL-2.0
+	Contributors:
+		Sonatype, Inc. - initial API and implementation
+		Hannes Wellmann - Set up PGP-signing
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<parent>
+		<groupId>org.eclipse.m2e</groupId>
+		<artifactId>m2e-core</artifactId>
+		<version>2.0.0-SNAPSHOT</version>
+	</parent>
+
+	<artifactId>org.eclipse.m2e.repository</artifactId>
+	<packaging>eclipse-repository</packaging>
+
+	<name>Maven Integration for Eclipse Repository</name>
+
+	<profiles>
+		<!-- Eclipse SimRel requires all artifacts to be jar- or pgp-signed. So we sign the (non eclipse) artifacts
+			and update the p2 metadata accordingly -->
+		<profile>
+			<id>eclipse-sign</id>
+			<build>
+				<plugins>
+					<plugin>
+						<groupId>org.eclipse.tycho</groupId>
+						<artifactId>tycho-gpg-plugin</artifactId>
+						<version>${tycho-version}</version>
+						<executions>
+							<execution>
+								<id>pgpsigner</id>
+								<goals>
+									<goal>sign-p2-artifacts</goal>
+								</goals>
+								<configuration>
+									<skipIfJarsigned>true</skipIfJarsigned>
+								</configuration>
+							</execution>
+						</executions>
+					</plugin>
+					<plugin>
+						<groupId>org.eclipse.tycho</groupId>
+						<artifactId>tycho-p2-repository-plugin</artifactId>
+						<executions>
+							<execution>
+								<id>verify-repository-consistency</id>
+								<goals>
+									<goal>verify-repository</goal>
+								</goals>
+							</execution>
+						</executions>
+					</plugin>
+				</plugins>
+			</build>
+		</profile>
+	</profiles>
+</project>