artifactory-gradle-plugin icon indicating copy to clipboard operation
artifactory-gradle-plugin copied to clipboard
verified publisher icon jfrog

The plugin of version `5+` does not work with `signing` plugin any more

Open artembilan opened this issue 1 year ago • 1 comments

Describe the bug

The goal is to sign artifacts before they are published to the Artifactory. It works well with plugin of version 4+, but does not with 5+.

Current behavior

This my Gradle init script:

initscript {
	repositories {
		mavenCentral()
	}
	dependencies {
		classpath 'org.jfrog.buildinfo:build-info-extractor-gradle:4.+'
	}
}

def gpgPassphrase = System.getenv('GPG_PASSPHRASE')
def gpgPrivateKey = System.getenv('GPG_PRIVATE_KEY')

allprojects {

	apply plugin: 'signing'

	tasks.register('artifactoryPublish', org.jfrog.gradle.plugin.artifactory.task.ArtifactoryTask) {
		setCiServerBuild()
	}

	apply plugin: org.jfrog.gradle.plugin.artifactory.ArtifactoryPlugin

	artifactory {
		publish {
			contextUrl = System.getenv('ARTIFACTORY_URL')
			repository {
				repoKey = System.getenv('ARTIFACTORY_REPOSITORY')
				username = System.getenv('ARTIFACTORY_USERNAME')
				password = System.getenv('ARTIFACTORY_PASSWORD')
			}
			defaults {
				publications 'mavenJava'
			}
		}
	}

		afterEvaluate {
			pluginManager.withPlugin('maven-publish') {
				signing {
					useInMemoryPgpKeys(gpgPrivateKey, gpgPassphrase)
					sign publishing.publications.mavenJava
				}
			}
		}
}

Works well and as expected: the artifacts are signed and .asc files are uploaded to the Artifactory alongside with other artifacts.

If I change build-info-extractor-gradle version to the 5+ it does not sing artifacts. And even if I make artifactoryPublish dependent on signMavenJavaPublication tasks and it is called, the .asc files are not uploaded to the Artifactory.

Reproduction steps

No response

Expected behavior

No response

Artifactory Gradle plugin version

5+

Operating system type and version

GitHub Actions

JFrog Artifactory version

No response

Gradle version

8.5

artembilan avatar Jan 30 '24 14:01 artembilan

Steps to reproduce:

  1. Clone the example gradle project from JFrog project-examples GitHub page.

  2. Generate a new GPG key.

  3. Inside the project directory modify the build.gradle file as follows:

buildscript {
  repositories {
      mavenCentral()
  }
  dependencies {
      classpath(group: 'org.jfrog.buildinfo', name: 'build-info-extractor-gradle', version: '4.+')
  }
}
allprojects {
  apply plugin: 'signing'
  tasks.register('artifactoryPublish', org.jfrog.gradle.plugin.artifactory.task.ArtifactoryTask) {
      setCiServerBuild()
  }
  apply plugin: org.jfrog.gradle.plugin.artifactory.ArtifactoryPlugin
  repositories {
      maven {
          url "<Artifactory URL>/artifactory/<remote reposiotry>"
      }
  }
}


version = currentVersion


apply plugin: 'com.jfrog.artifactory'
apply plugin: 'java'
apply plugin: 'maven-publish'


dependencies {
  testImplementation 'junit:junit:4.7'
}


publishing {
  publications {
      mavenJava(MavenPublication) {
          from components.java
      }
  }
}


artifactory {
  contextUrl = '<Artifactory URL>/artifactory'
  publish {
      repository {
          repoKey = '<local repository>' // The Artifactory repository key to publish to
          username = <username>// The publisher user name
          password = <password>// The publisher password
      }
      defaults {
          publications('mavenJava')
          publishArtifacts = true
          // Properties to be attached to the published artifacts.
          properties = ['qa.level': 'basic', 'dev.team' : 'core']
          // Publish generated POM files to Artifactory (true by default)
          publishPom = true
      }
  }
}
		afterEvaluate {
			pluginManager.withPlugin('maven-publish') {
				signing {
					sign publishing.publications.mavenJava
				}
			}
		}
  1. Modify the gradle.properties file:
artifactory_user=<Artifactory username>
artifactory_password=<Artifactory password>

signing.keyId=<KeyID> /last 8 digits of your gpg key, get by running “gpg --list-keys --keyid-format short”
signing.password=<passpharse for the GPG key>
signing.secretKeyRingFile=<path to the GPG key>
  1. Execute the 'gradle artifactoryPublish' command and observe that the artifacts are signed, with corresponding .asc files uploaded to Artifactory along with other artifacts.
  2. Update the 'classpath' from 'org.jfrog.buildinfo:build-info-extractor-gradle:4.+' to 'org.jfrog.buildinfo:build-info-extractor-gradle:5.+' and ensure that no .asc files are generated or uploaded to Artifactory.

RoiNiv23 avatar Mar 17 '24 14:03 RoiNiv23

Hi @artembilan @RoiNiv23 , Artifactory Gradle Plugin 5.2.3 was just released and includes a fix for this issue. We'd appreciate your feedback for it.

RobiNino avatar Jul 11 '24 11:07 RobiNino

Looks like that works and I see published .asc files as well. This issue can be closed. Thank you!

artembilan avatar Jul 11 '24 17:07 artembilan

Thanks for the feedback @artembilan !

RobiNino avatar Jul 14 '24 08:07 RobiNino