This is an automated email from the ASF dual-hosted git repository. dklco pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-committer-cli.git
commit f459afbb8ffeea7eacd101f8abfa5512ccdd50c3 Author: Dan Klco <[email protected]> AuthorDate: Mon Sep 9 13:18:15 2019 -0400 Updating to download the sling ASC file --- .../sling/cli/impl/pgp/PGPSignatureValidator.java | 43 +++++++++++++++++----- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java b/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java index d8c1356..2ffe6ce 100644 --- a/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java +++ b/src/main/java/org/apache/sling/cli/impl/pgp/PGPSignatureValidator.java @@ -18,6 +18,7 @@ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*/ package org.apache.sling.cli.impl.pgp; +import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.nio.file.Files; @@ -27,6 +28,11 @@ import java.util.ArrayList; import java.util.Iterator; import java.util.List; +import org.apache.commons.io.IOUtils; +import org.apache.http.client.methods.CloseableHttpResponse; +import org.apache.http.client.methods.HttpGet; +import org.apache.http.impl.client.CloseableHttpClient; +import org.apache.sling.cli.impl.http.HttpClientFactory; import org.bouncycastle.bcpg.ArmoredInputStream; import org.bouncycastle.openpgp.PGPException; import org.bouncycastle.openpgp.PGPObjectFactory; @@ -42,26 +48,28 @@ import org.bouncycastle.openpgp.operator.jcajce.JcaKeyFingerprintCalculator; import org.jetbrains.annotations.NotNull; import org.osgi.service.component.annotations.Activate; import org.osgi.service.component.annotations.Component; +import org.osgi.service.component.annotations.Reference; @Component(service = PGPSignatureValidator.class) public class PGPSignatureValidator { + @Reference + private HttpClientFactory httpClientFactory; + private static final String KEYS_FILE = "/tmp/sling-keys.asc"; private PGPPublicKeyRingCollection keyRing; public ValidationResult verify(Path artifact, Path signature) { - try ( - InputStream fileStream = Files.newInputStream(artifact) ; - InputStream signatureStream = Files.newInputStream(signature) - ) { + try (InputStream fileStream = Files.newInputStream(artifact); + InputStream signatureStream = Files.newInputStream(signature)) { InputStream sigInputStream = PGPUtil.getDecoderStream(signatureStream); PGPObjectFactory pgpObjectFactory = new PGPObjectFactory(sigInputStream, new BcKeyFingerprintCalculator()); PGPSignatureList sigList = (PGPSignatureList) pgpObjectFactory.nextObject(); PGPSignature pgpSignature = sigList.get(0); PGPPublicKey key = keyRing.getPublicKey(pgpSignature.getKeyID()); if (key == null) { - throw new IllegalStateException(String.format("Signature %s was not generated with any of the known keys.", - signature.getFileName())); + throw new IllegalStateException(String + .format("Signature %s was not generated with any of the known keys.", signature.getFileName())); } pgpSignature.init(new BcPGPContentVerifierBuilderProvider(), key); byte[] buff = new byte[1024]; @@ -72,7 +80,8 @@ public class PGPSignatureValidator { fileStream.close(); return new ValidationResult(pgpSignature.verify(), key); } catch (PGPException | IOException e) { - throw new IllegalStateException(String.format("Unable to verify signature %s.", signature.getFileName()), e); + throw new IllegalStateException(String.format("Unable to verify signature %s.", signature.getFileName()), + e); } } @@ -80,7 +89,19 @@ public class PGPSignatureValidator { private void readKeyRing() { Path keysFile = Paths.get(KEYS_FILE); if (Files.notExists(keysFile)) { - throw new IllegalStateException(String.format("Sling keys file does not exist at %s.", KEYS_FILE)); + try { + try (CloseableHttpClient client = httpClientFactory.newClient()) { + HttpGet get = new HttpGet("https://people.apache.org/keys/group/sling.asc";); + try (CloseableHttpResponse response = client.execute(get)) { + try (InputStream content = response.getEntity().getContent()) { + IOUtils.copy(content, new FileOutputStream(keysFile.toFile())); + } + } + } + } catch (IOException e) { + throw new IllegalStateException( + "Cannot download Sling key file from https://people.apache.org/keys/group/sling.asc";, e); + } } try (InputStream in = Files.newInputStream(keysFile)) { InputStream bouncyIn = org.bouncycastle.openpgp.PGPUtil.getDecoderStream(in); @@ -88,7 +109,8 @@ public class PGPSignatureValidator { ArmoredInputStream as = (ArmoredInputStream) bouncyIn; List<PGPPublicKeyRing> keyRings = new ArrayList<>(); while (!as.isEndOfStream()) { - PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection(as, new JcaKeyFingerprintCalculator()); + PGPPublicKeyRingCollection collection = new PGPPublicKeyRingCollection(as, + new JcaKeyFingerprintCalculator()); Iterator<PGPPublicKeyRing> readKeyRings = collection.getKeyRings(); while (readKeyRings.hasNext()) { PGPPublicKeyRing keyRing = readKeyRings.next(); @@ -98,7 +120,8 @@ public class PGPSignatureValidator { if (!keyRings.isEmpty()) { keyRing = new PGPPublicKeyRingCollection(keyRings); } else { - throw new IllegalStateException(String.format("Sling keys file from %s does not contain any keys.", KEYS_FILE)); + throw new IllegalStateException( + String.format("Sling keys file from %s does not contain any keys.", KEYS_FILE)); } } } catch (IOException | PGPException e) {
