hboutemy opened a new pull request, #43: URL: https://github.com/apache/maven-gpg-plugin/pull/43
PoC using sigstore-java that does all the heavy sigstore work: https://github.com/sigstore/sigstore-java - copying `GpgSignAttachedMojo.java` logic to create `SigstoreSignAttachedMojo.java` - many parts are still missing for plugin configuration to support other sigstore servers than default ones - not sure at all that maven-gpg-plugin will be the right target location for this feature - does not work yet for obscure reason: ``` $ mvn clean install $ mvn -Papache-release clean deploy ... [ERROR] Failed to execute goal org.apache.maven.plugins:maven-gpg-plugin:3.1.0-SNAPSHOT:sigstore (sigstore-sign-release-artifacts) on project maven-gpg-plugin: Error while signing with sigstore: CANCELLED: Failed to read message. class dev.sigstore.fulcio.v2.CertificateChain tried to access method 'com.google.protobuf.LazyStringArrayList com.google.protobuf.LazyStringArrayList.emptyList()' (dev.sigstore.fulcio.v2.CertificateChain and com.google.protobuf.LazyStringArrayList are in unnamed module of loader org.codehaus.plexus.classworlds.realm.ClassRealm @3eedbc30) -> [Help 1] ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
