slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[feature] Maven builder

Open laurentsimon opened this issue 3 years ago • 9 comments
trafficstars

@ianlewis in https://github.com/slsa-framework/slsa-github-generator/issues/331#issuecomment-1160048373

Maven seems like it can store arbitrary files in it's releases. A future Java-specific ecosystem builder could do this automatically itself, but for the generic generator we can create examples that use the deploy plugin to deploy the provenance file. https://maven.apache.org/plugins/maven-deploy-plugin/usage.html ... much like the gpg plugin. That would make it easy to publish and consume Java artifacts via maven. Ideally it could use the java clients for sigstore.

@laurentsimon

Completely agree on Maven plugin. Should be easy to do given the Sigstore example https://github.com/sigstore/sigstore-maven-plugin I've created https://github.com/slsa-framework/slsa-verifier/issues/155 for tracking.

@joshuagl I think you've been playing around with this idea. Any thoughts?

/cc @loosebazooka

laurentsimon avatar Jul 20 '22 15:07 laurentsimon

@ianlewis in #331 (comment)

Maven seems like it can store arbitrary files in it's releases.

I think in reality what the gpg plugin does is wrap the jar using jarsigner. In our case we want to upload provenance along side the jar so it might need to upload it to a different "artifact" in the same "group" on maven central unless we can find a good way to embed it inside the jar somehow.

Since the jar is just a zip or whatever, we could possibly include it in a "well known" file name like PROVENANCE.json or something like that.

ianlewis avatar Jul 20 '22 23:07 ianlewis

I think you're right. Maybe something like https://github.com/lopht/upload-maven-plugin is more similar to what we need.

laurentsimon avatar Jul 20 '22 23:07 laurentsimon

Just doing some more research:

  • GPG signing seems to already be a requirement for publishing to maven central: https://central.sonatype.org/publish/requirements/gpg/
    • Packages like log4j already have signatures for each file: https://repo1.maven.org/maven2/log4j/log4j/1.2.17/
    • It seems that using the gpg plugin is the recommended way to sign using maven: https://central.sonatype.org/publish/publish-maven/#using-build-tools-for-signing
  • It does seem like you can upload arbitrary files since you can upload md5s and asc files to a release. But perhaps not many plugins support uploading arbitrary files. We would to create our own or use the upload-maven-plugin (though it looks old and may pre-date gpg publishing requirements).

GPG signing being a requirement might actually make adoption using sigstore tools a bit harder since folks would need to sign with both tools in order to publish to maven central.

It's a bit unclear to me since there are two sets of docs:

  • https://central.sonatype.org/
  • https://maven.apache.org/repository/index.html

but it seems that sonatype runs the central repository right now?

ianlewis avatar Jul 21 '22 00:07 ianlewis

I'd very much like to have a Maven/Gradle builder! I did start looking into this but got very distracted, apologies.

I don't think we should put provenance in the jar – wouldn't that alter the digest of the artefact being described by the provenance file? Uploading the provenance to Mavne Central alongside the jar feels appropriate.

but it seems that sonatype runs the central repository right now?

That matches my understanding.

joshuagl avatar Jul 22 '22 16:07 joshuagl

This plugin example https://github.com/lopht/upload-maven-plugin may be helpful. @joshuagl What if we used the generic generator along with a plugin to showcase and e2e PoC?

laurentsimon avatar Jul 22 '22 16:07 laurentsimon

I don't think we should put provenance in the jar

+1 we can just upload it as detached metadata for the jar. This is what pgp signatures are now and what we plan on doing for sigstore artifact signing

loosebazooka avatar Jul 22 '22 16:07 loosebazooka

This plugin example https://github.com/lopht/upload-maven-plugin may be helpful. @joshuagl What if we used the generic generator along with a plugin to showcase and e2e PoC?

This would be ideal for now I think. My only concern is that the upload-maven-plugin is old (no commits since 2018).

+1 we can just upload it as detached metadata for the jar. This is what pgp signatures are now and what we plan on doing for sigstore artifact signing

Yeah, I said that mostly without thinking and before I understood that you could upload multiple files for releases.

ianlewis avatar Jul 25 '22 00:07 ianlewis

This plugin example https://github.com/lopht/upload-maven-plugin may be helpful. @joshuagl What if we used the generic generator along with a plugin to showcase and e2e PoC?

This would be ideal for now I think. My only concern is that the upload-maven-plugin is old (no commits since 2018).

I was only suggesting we use it as an example to build our solution. We should own the plugin and maintain it

laurentsimon avatar Jul 25 '22 16:07 laurentsimon

@laurentsimon It seems that the sigstore maven plugin is now maintained at https://github.com/sigstore/sigstore-maven and it seems that the sigstore project currently intends to maintain it so we should probably try to use that.

It still seems like a lot of the sigstore Java stuff is not really fully baked so it might still need some work.

ianlewis avatar Jul 29 '22 03:07 ianlewis