Add support for signed Releases

[netwolfuk]

add InRelease and Release.gpg files "clear signed" with gpg

[vidstige]

There seems to be support for this in BouncyCastle. There is even an example here. It would be interesting to try to sign a Release file to get an InRelease file. I tried to download and run this example, but could not get it to even run. :-/

[netwolfuk]

Yes, that looks to be the same as this one from 2015 although there is not date available on the doc jar page. Maybe there are some subtle differences.

Did it compile and not run? Or not compile?
I presume the workflow to test would be:

1. Generate PGP/GPG Key with passphrase using standard GPG tools (rather than learning it in BC)
2. Clear sign Release file in GPG with key.
3. Clear sign Release file BC with same key.
4. Compare.

[vidstige]

I downloaded two jar files from the BouncyCastle webpage. Using jar tf I realized the intersting example was included. Tried to run that file but it threw an exception complaining about unable to load some class and a JNI tirade. Here is the full excerpt

$ java -cp bcprov-jdk15on-156.jar -cp bcpg-jdk15on-156.jar org.bouncycastle.openpgp.examples.ClearSignedFileProcessor
Error: A JNI error has occurred, please check your installation and try again
Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider
	at java.lang.Class.getDeclaredMethods0(Native Method)
	at java.lang.Class.privateGetDeclaredMethods(Class.java:2701)
	at java.lang.Class.privateGetMethodRecursive(Class.java:3048)
	at java.lang.Class.getMethod0(Class.java:3018)
	at java.lang.Class.getMethod(Class.java:1784)
	at sun.launcher.LauncherHelper.validateMainClass(LauncherHelper.java:544)
	at sun.launcher.LauncherHelper.checkAndLoadMain(LauncherHelper.java:526)
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
	at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
	at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:331)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	... 7 more

[netwolfuk]

try using : instead of a second -cp
eg

java -cp bcprov-jdk15on-1.56.jar:bcpg-jdk15on-1.56.jar org.bouncycastle.openpgp.examples.ClearSignedFileProcessor
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 0
	at org.bouncycastle.openpgp.examples.ClearSignedFileProcessor.main(Unknown Source)

I am pretty sure it's then complaining that I didn't pass an argument so the args[] is empty.

[netwolfuk]

TODO:

• Figure out how to encrypt and store PGP key and secret in TeamCity
• Create UI for storing key and secret
• Write docs for how to generate Key in gnugpg. Generating keys in teamcity is not on the roadmap.

[vidstige]

Thank you so much for your help. After further consideration we will use some other mechanism to create our PPA.

[netwolfuk]

Ok. Thanks for letting me know. I hope you'll try again once 1.1 is released.

[zedle]

Assume this is dead?

[netwolfuk]

Not intentionally, I just haven't had lots of time, and the webhooks project is more popular.

[netwolfuk]

I'm making good progress on this. Are you interested in testing it @zedle ?

[zedle]

absolutely @netwolfuk

[netwolfuk]

Great @zedle. Thanks for your patience. We have a new baby in the house, so my spare time has dried up a bit .
I'm hoping to have something ready to test within 3 to 4 weeks. The changes required are quite numerous.
Underneath, the data store is now backed by a database. Previously it was in memory with writes to an XML file, but at 40k packages it was taking about 1 minute to persist.

[zedle]

@netwolfuk No worries, let me know. Could certainly use this project for our build server.