From 599560234fe74e90b5f3ff781b39a753bd4ca8a5 Mon Sep 17 00:00:00 2001 From: Rene Groeschke Date: Fri, 27 Jun 2025 14:24:10 +0200 Subject: [PATCH] [Build] Setup artifact signing for maven aggregation content (#130179) Maven central expects signed artifacts when publishing --- .buildkite/hooks/pre-command | 8 ++++++++ .buildkite/pipelines/dra-workflow.yml | 1 + .../gradle/internal/conventions/PublishPlugin.java | 13 +++++++++++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/.buildkite/hooks/pre-command b/.buildkite/hooks/pre-command index 34d614c7f7a5..e6b7b1bc3a19 100644 --- a/.buildkite/hooks/pre-command +++ b/.buildkite/hooks/pre-command @@ -64,6 +64,14 @@ if [[ "${USE_LUCENE_SNAPSHOT_CREDS:-}" == "true" ]]; then unset data fi +if [[ "${USE_MAVEN_GPG:-}" == "true" ]]; then + vault_path="kv/ci-shared/release-eng/team-release-secrets/es-delivery/gpg" + ORG_GRADLE_PROJECT_signingKey=$(vault kv get --field="private_key" $vault_path) + ORG_GRADLE_PROJECT_signingPassword=$(vault kv get --field="passphase" $vault_path) + export ORG_GRADLE_PROJECT_signingKey + export ORG_GRADLE_PROJECT_signingPassword +fi + if [[ "${USE_DRA_CREDENTIALS:-}" == "true" ]]; then DRA_VAULT_ROLE_ID_SECRET=$(vault read -field=role-id secret/ci/elastic-elasticsearch/legacy-vault-credentials) export DRA_VAULT_ROLE_ID_SECRET diff --git a/.buildkite/pipelines/dra-workflow.yml b/.buildkite/pipelines/dra-workflow.yml index 36828a6512db..43a3ff73b965 100644 --- a/.buildkite/pipelines/dra-workflow.yml +++ b/.buildkite/pipelines/dra-workflow.yml @@ -2,6 +2,7 @@ steps: - command: .buildkite/scripts/dra-workflow.sh env: USE_DRA_CREDENTIALS: "true" + USE_MAVEN_GPG: "true" USE_PROD_DOCKER_CREDENTIALS: "true" agents: provider: gcp diff --git a/build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/PublishPlugin.java b/build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/PublishPlugin.java index d3f03b9534be..9f96d4eafa33 100644 --- a/build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/PublishPlugin.java +++ b/build-conventions/src/main/java/org/elasticsearch/gradle/internal/conventions/PublishPlugin.java @@ -10,12 +10,11 @@ package org.elasticsearch.gradle.internal.conventions; import groovy.util.Node; +import nmcp.NmcpPlugin; import com.github.jengelman.gradle.plugins.shadow.ShadowExtension; import com.github.jengelman.gradle.plugins.shadow.ShadowPlugin; -import nmcp.NmcpPlugin; - import org.elasticsearch.gradle.internal.conventions.info.GitInfo; import org.elasticsearch.gradle.internal.conventions.precommit.PomValidationPrecommitPlugin; import org.elasticsearch.gradle.internal.conventions.util.Util; @@ -41,6 +40,8 @@ import org.gradle.api.tasks.SourceSet; import org.gradle.api.tasks.bundling.Jar; import org.gradle.initialization.layout.BuildLayout; import org.gradle.language.base.plugins.LifecycleBasePlugin; +import org.gradle.plugins.signing.SigningExtension; +import org.gradle.plugins.signing.SigningPlugin; import org.w3c.dom.Element; import java.io.File; @@ -69,6 +70,7 @@ public class PublishPlugin implements Plugin { project.getPluginManager().apply(PomValidationPrecommitPlugin.class); project.getPluginManager().apply(LicensingPlugin.class); project.getPluginManager().apply(NmcpPlugin.class); + project.getPluginManager().apply(SigningPlugin.class); configureJavadocJar(project); configureSourcesJar(project); configurePomGeneration(project); @@ -79,6 +81,13 @@ public class PublishPlugin implements Plugin { private void configurePublications(Project project) { var publishingExtension = project.getExtensions().getByType(PublishingExtension.class); var publication = publishingExtension.getPublications().create("elastic", MavenPublication.class); + Provider signingKey = project.getProviders().gradleProperty("signingKey"); + if (signingKey.isPresent()) { + SigningExtension signing = project.getExtensions().getByType(SigningExtension.class); + signing.useInMemoryPgpKeys(signingKey.get(), project.getProviders().gradleProperty("signingPassword").get()); + signing.sign(publication); + } + project.afterEvaluate(project1 -> { if (project1.getPlugins().hasPlugin(ShadowPlugin.class)) { configureWithShadowPlugin(project1, publication);