From ef626ad22a6c1bbc6a322460e6f4afe698c3aa02 Mon Sep 17 00:00:00 2001
From: John Scancella <john.scancella@gmail.com>
Date: Tue, 26 May 2020 21:59:19 -0400
Subject: [PATCH] fix: gradle plugin was not signed (#269)

* refs #192 - added signing when generating the plugin

* refs #192 - trying to get gradle signing to be configured properly

* refs #192 - add the github secret as an environment variable so gradle can access it

* refs #192 - helps if you actually get the environment variable when trying to access it in gradle

* refs #192 - fixing spotless failure

* refs #192 - don't try and sign anything if the key and password are not setup

* refs #192 - updated README noting that if you don't have signing keys it should still work

* refs #192 - disable signArchives if key and password are not available

* refs #192 - try disabling signArchives another way

* refs #192 - trying again to disable signArchives if key and password are not available

* fix: refs #192 - forgot to also check case of empty variables

* fix: refs #192 - fixing typo left in during development
---
 .github/workflows/gradle.yml |  3 +++
 .gitignore                   |  1 +
 README.md                    | 15 +++++++++++++++
 build.gradle                 | 21 ++++++++++++++++++++-
 4 files changed, 39 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/gradle.yml b/.github/workflows/gradle.yml
index 5d88c539..bd9c506b 100644
--- a/.github/workflows/gradle.yml
+++ b/.github/workflows/gradle.yml
@@ -36,6 +36,9 @@ jobs:
     - name: Gradle Wrapper Validation
       uses: gradle/wrapper-validation-action@v1
     - name: Build with Gradle
+      env:
+        SIGNING_KEY: ${{ secrets.SIGNING_KEY }}
+        SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
       run: ./gradlew build --no-daemon -Dsnom.test.functional.gradle=${{ matrix.gradle }}
     - name: Run Semantic Release
       run: |
diff --git a/.gitignore b/.gitignore
index dc96d495..37afb649 100644
--- a/.gitignore
+++ b/.gitignore
@@ -309,6 +309,7 @@ $RECYCLE.BIN/
 ### Gradle ###
 .gradle
 build/
+gradle.properties
 
 # Ignore Gradle GUI config
 gradle-app.setting
diff --git a/README.md b/README.md
index cb2d197f..88efb687 100644
--- a/README.md
+++ b/README.md
@@ -114,6 +114,21 @@ dependencies {
 }
 ```
 
+## Development
+Since version 4.3, when we publish artifacts we now sign them. This is designed so that the build will still pass if you don't have the signing keys available, this way pull requests and forked repos will still work as before.
+
+Before github workflow can sign the artifacts generated during build, we first need to generate pgp keys (you will have to do this again when the key expires. once a year is a good timeframe) and upload them to the servers. See https://www.gnupg.org/faq/gnupg-faq.html#starting_out for more details.
+
+That means github needs the following secrets:
+```
+SIGNING_KEY = "-----BEGIN PGP PRIVATE KEY BLOCK-----..."
+SIGNING_PASSWORD = password
+```
+where `secrets.SIGNING_KEY` is the in-memory ascii-armored keys (you get this by running `gpg --armor --export-secret-keys <EMAIL>`)
+and `secrets.SIGNING_PASSWORD` is the password you used when generating the key.
+
+Gradle is configured to use these to generate the private key in memory so as to minimize our risk of the keys being found and used by someone else.
+
 ## Copyright
 
 Copyright &copy; 2019-present SpotBugs Team
diff --git a/build.gradle b/build.gradle
index fdb229e6..feea5aa6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -2,6 +2,7 @@ plugins {
     id 'groovy'
     id 'java-gradle-plugin'
     id 'jacoco'
+    id 'signing'
     id 'com.gradle.plugin-publish' version '0.11.0'
     id 'com.diffplug.gradle.spotless' version '4.0.0'
     id 'net.ltgt.errorprone' version '1.1.1'
@@ -43,6 +44,24 @@ groovydoc {
     link 'https://docs.groovy-lang.org/latest/html/gapi/', 'groovy.', 'org.codehaus.groovy.'
 }
 
+def signingKey = System.getenv("SIGNING_KEY")
+def signingPassword = System.getenv("SIGNING_PASSWORD")
+
+signing {
+    if(signingKey != null &&
+    signingPassword != null &&
+    !signingKey.isEmpty() &&
+    !signingPassword.isEmpty()){
+        useInMemoryPgpKeys(signingKey, signingPassword)
+        sign configurations.archives
+    }
+    else{
+        logger.warn('The signing key and password are null. This can be ignored if this is a pull request.')
+    }
+}
+
+
+
 task processVersionFile(type: WriteProperties) {
     outputFile file('src/main/resources/spotbugs-gradle-plugin.properties')
 
@@ -57,4 +76,4 @@ apply from: "$rootDir/gradle/spotless.gradle"
 apply from: "$rootDir/gradle/errorprone.gradle"
 apply from: "$rootDir/gradle/publish.gradle"
 
-defaultTasks 'spotlessApply', 'build'
+defaultTasks 'spotlessApply', 'build'
\ No newline at end of file