Sig validation

cstamas · cstamas · commit e65d13402021 · 2025-04-16T20:36:02.000+02:00
diff --git a/core/src/main/java/eu/maveniverse/maven/njord/shared/impl/publisher/signature/ArtifactSignatureValidator.java b/core/src/main/java/eu/maveniverse/maven/njord/shared/impl/publisher/signature/ArtifactSignatureValidator.java
@@ -70,12 +70,20 @@ private void validateSignature(
                     in.transferTo(bos);
                     signatureContent = new ByteArrayInputStream(bos.toByteArray());
                 }
-                if (signatureValidator.verifySignature(
-                        artifactStore.artifactContent(artifact).orElseThrow(), signatureContent)) {
+                SignatureValidator.Outcome outcome = signatureValidator.verifySignature(
+                        artifactStore,
+                        artifact,
+                        signature,
+                        artifactStore.artifactContent(artifact).orElseThrow(),
+                        signatureContent,
+                        chkCollector);
+                if (outcome == SignatureValidator.Outcome.VALID) {
                     chkCollector.addInfo("VALID " + signatureValidator.type().name());
+                } else if (outcome == SignatureValidator.Outcome.INVALID) {
+                    chkCollector.addError("INVALID " + signatureValidator.type().name());
                 } else {
-                    chkCollector.addError(
-                            "MISMATCH " + signatureValidator.type().name());
+                    chkCollector.addInfo("PRESENT (not validated) "
+                            + signatureValidator.type().name());
                 }
             } else {
                 if (mandatory) {
diff --git a/core/src/main/java/eu/maveniverse/maven/njord/shared/impl/publisher/signature/GpgSignatureValidator.java b/core/src/main/java/eu/maveniverse/maven/njord/shared/impl/publisher/signature/GpgSignatureValidator.java
@@ -7,16 +7,26 @@
  */
 package eu.maveniverse.maven.njord.shared.impl.publisher.signature;
 
+import eu.maveniverse.maven.njord.shared.publisher.spi.ValidationResultCollector;
+import eu.maveniverse.maven.njord.shared.store.ArtifactStore;
 import java.io.IOException;
 import java.io.InputStream;
+import org.eclipse.aether.artifact.Artifact;
 
 public class GpgSignatureValidator extends SignatureValidatorSupport {
     public GpgSignatureValidator() {
         super(new GpgSignatureType());
     }
 
     @Override
-    public boolean verifySignature(InputStream content, InputStream signature) throws IOException {
-        return true;
+    public Outcome verifySignature(
+            ArtifactStore artifactStore,
+            Artifact artifact,
+            Artifact signatureArtifact,
+            InputStream artifactContent,
+            InputStream signatureContent,
+            ValidationResultCollector collector)
+            throws IOException {
+        return Outcome.SKIPPED;
     }
 }
diff --git a/core/src/main/java/eu/maveniverse/maven/njord/shared/impl/publisher/signature/SigstoreSignatureValidator.java b/core/src/main/java/eu/maveniverse/maven/njord/shared/impl/publisher/signature/SigstoreSignatureValidator.java
@@ -7,16 +7,26 @@
  */
 package eu.maveniverse.maven.njord.shared.impl.publisher.signature;
 
+import eu.maveniverse.maven.njord.shared.publisher.spi.ValidationResultCollector;
+import eu.maveniverse.maven.njord.shared.store.ArtifactStore;
 import java.io.IOException;
 import java.io.InputStream;
+import org.eclipse.aether.artifact.Artifact;
 
 public class SigstoreSignatureValidator extends SignatureValidatorSupport {
     public SigstoreSignatureValidator() {
         super(new SigstoreSignatureType());
     }
 
     @Override
-    public boolean verifySignature(InputStream content, InputStream signature) throws IOException {
-        return false;
+    public Outcome verifySignature(
+            ArtifactStore artifactStore,
+            Artifact artifact,
+            Artifact signatureArtifact,
+            InputStream artifactContent,
+            InputStream signatureContent,
+            ValidationResultCollector collector)
+            throws IOException {
+        return Outcome.SKIPPED;
     }
 }
diff --git a/core/src/main/java/eu/maveniverse/maven/njord/shared/publisher/spi/signature/SignatureValidator.java b/core/src/main/java/eu/maveniverse/maven/njord/shared/publisher/spi/signature/SignatureValidator.java
@@ -7,19 +7,35 @@
  */
 package eu.maveniverse.maven.njord.shared.publisher.spi.signature;
 
+import eu.maveniverse.maven.njord.shared.publisher.spi.ValidationResultCollector;
+import eu.maveniverse.maven.njord.shared.store.ArtifactStore;
 import java.io.Closeable;
 import java.io.IOException;
 import java.io.InputStream;
+import org.eclipse.aether.artifact.Artifact;
 
 public interface SignatureValidator extends Closeable {
     /**
      * The type this validator validates.
      */
     SignatureType type();
 
+    enum Outcome {
+        SKIPPED,
+        VALID,
+        INVALID
+    }
+
     /**
      * Verifies received content against received signature. May perform much more, like fetching key and so on.
      * If it returns {@code true}, then and only then is signature accepted as "verified".
      */
-    boolean verifySignature(InputStream content, InputStream signature) throws IOException;
+    Outcome verifySignature(
+            ArtifactStore artifactStore,
+            Artifact artifact,
+            Artifact signatureArtifact,
+            InputStream artifactContent,
+            InputStream signatureContent,
+            ValidationResultCollector collector)
+            throws IOException;
 }
