What is the syntax for defining a custom signatory?

abunetta · June 7, 2012, 10:43am

I’ve created a new class (org.MySignatory) in buildSrc that extends org.gradle.plugins.signing.signatory.SignatorySupport.

I would like to use it to sign a jar, but have not been able to set it as the signatory for a project.

The following seems the most consistent with the user guide examples and DSL documentation, but the script fails during evaluation with “Could not find method signatory() for arguments [org.MySignatory@2ddc50] on project”

apply plugin: 'signing'
  signing {
    signatory new org.MySignatory()
    sign configurations.archives
}

I’m using version 1.0 milestone 9.

abunetta · June 10, 2012, 6:35am

Is using a custom signatory supported at this time with the signing plugin?

abunetta · June 11, 2012, 10:44am

The following fits the gradle DSL but doesn’t define a signatory.

Building fails with “Cannot perform signing task ‘:proj:signArchives’ because it has no configured signatory”.

signing {
    signatories {
        new org.MySignatory()
    }
    sign configurations.archives
}

luke_daley · June 11, 2012, 11:52am

This is a bit awkward right now. If you provide more info on what you want to achieve I should be able to provide a solution.

At the lowest level, you can inject your own signatory provider…

signing.signatoryProvider = new MySignatoryProvider()

This is the interface to implement

abunetta · June 12, 2012, 6:09am

There is no signatoryProvider method, I think that you meant

signing.signatories = new MySignatoryProvider()

Using this, I am able to pass MySignatory via MySignatoryProvider.

But it seems that PgpSignatory is still active.

First of all, gradle complains because my Signatory is missing a keyId property of type PgpKeyId (which is required regardless of signature type at Sign.groovy:69). Also, an .asc file is generated to the build/libs directory.

Once I added the keyId to my Signatory, my sign(in, out) method is called, being given the jar to be signed in the input stream. But the output stream is ignored.

Even when the sign method of MySignatory is just the following, the output jar is the original unsigned jar:

@Override
public void sign(InputStream toSign, OutputStream signed) {
 signed.write(100)
 signed.flush()
}

So somehow the output from the sign(…) method is being ignored or overridden.

Any ideas?

Thanks, David

abunetta · June 12, 2012, 7:39am

OK, the problem was that I needed to define the signatureTypes as well, and make MySignatureType the default.

signing.signatureTypes = new MySignatureTypeProvider()

Now I have a different question:

Is there any reasonable way to replace the jar that is generated by the jar task with the jar I’ve just signed using my Signatory in the signArchives task?

I didn’t want to make a signature file; rather I wanted to have the jar output signed. Most important is that I don’t want gradle to recreate the jar on every build.

luke_daley · June 12, 2012, 9:45am

The signing plugin was not designed to transform artifacts, but create auxiliary signature files.

This could be possible though, but the API may be a little awkward for it. Some additions to the signing plugin could make this easier.

Contributions are always welcome

abunetta · June 12, 2012, 10:23am

Right, thanks for the clarification.

For now, a workaround I’ve found is to make my SignatureType extension “jar” and set the project archive extension to “”.