fix: gradle plugin was not signed (#269)

* refs #192 - added signing when generating the plugin

* refs #192 - trying to get gradle signing to be configured properly

* refs #192 - add the github secret as an environment variable so gradle can access it

* refs #192 - helps if you actually get the environment variable when trying to access it in gradle

* refs #192 - fixing spotless failure

* refs #192 - don't try and sign anything if the key and password are not setup

* refs #192 - updated README noting that if you don't have signing keys it should still work

* refs #192 - disable signArchives if key and password are not available

* refs #192 - try disabling signArchives another way

* refs #192 - trying again to disable signArchives if key and password are not available

* fix: refs #192 - forgot to also check case of empty variables

* fix: refs #192 - fixing typo left in during development

.github/workflows/gradle.yml

@@ -36,6 +36,9 @@ jobs:
     - name: Gradle Wrapper Validation
       uses: gradle/wrapper-validation-action@v1
     - name: Build with Gradle
+      env:
+        SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
       run: ./gradlew build --no-daemon -Dsnom.test.functional.gradle=${{ matrix.gradle }}
     - name: Run Semantic Release
       run: |

.gitignore

@@ -309,6 +309,7 @@ $RECYCLE.BIN/
 ### Gradle ###
 .gradle
 build/
+gradle.properties
 
 # Ignore Gradle GUI config
 gradle-app.setting

README.md

@@ -114,6 +114,21 @@ dependencies {
 }
 ```
 
+## Development
+Since version 4.3, when we publish artifacts we now sign them. This is designed so that the build will still pass if you don't have the signing keys available, this way pull requests and forked repos will still work as before.
+
+Before github workflow can sign the artifacts generated during build, we first need to generate pgp keys (you will have to do this again when the key expires. once a year is a good timeframe) and upload them to the servers. See https://www.gnupg.org/faq/gnupg-faq.html#starting_out for more details.
+
+That means github needs the following secrets:
+```
+SIGNING_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----..."
+SIGNING_PASSWORD = password
+```
+where `secrets.SIGNING_KEY` is the in-memory ascii-armored keys (you get this by running `gpg --armor --export-secret-keys <EMAIL>`)
+and `secrets.SIGNING_PASSWORD` is the password you used when generating the key.
+
+Gradle is configured to use these to generate the private key in memory so as to minimize our risk of the keys being found and used by someone else.
+
 ## Copyright
 
 Copyright &copy; 2019-present SpotBugs Team

build.gradle

@@ -2,6 +2,7 @@ plugins {
     id 'groovy'
     id 'java-gradle-plugin'
     id 'jacoco'
+    id 'signing'
     id 'com.gradle.plugin-publish' version '0.11.0'
     id 'com.diffplug.gradle.spotless' version '4.0.0'
     id 'net.ltgt.errorprone' version '1.1.1'
@@ -43,6 +44,24 @@ groovydoc {
     link 'https://docs.groovy-lang.org/latest/html/gapi/', 'groovy.', 'org.codehaus.groovy.'
 }
 
+def signingKey = System.getenv("SIGNING_KEY")
+def signingPassword = System.getenv("SIGNING_PASSWORD")
+
+signing {
+    if(signingKey != null &&
+    signingPassword != null &&
+    !signingKey.isEmpty() &&
+    !signingPassword.isEmpty()){
+        useInMemoryPgpKeys(signingKey, signingPassword)
+        sign configurations.archives
+    }
+    else{
+        logger.warn('The signing key and password are null. This can be ignored if this is a pull request.')
+    }
+}
+
+
+
 task processVersionFile(type: WriteProperties) {
     outputFile file('src/main/resources/spotbugs-gradle-plugin.properties')
 
@@ -57,4 +76,4 @@ apply from: "$rootDir/gradle/spotless.gradle"
 apply from: "$rootDir/gradle/errorprone.gradle"
 apply from: "$rootDir/gradle/publish.gradle"
 
-defaultTasks 'spotlessApply', 'build'
+defaultTasks 'spotlessApply', 'build'