From e929b40a53123764ec730dce09e659c09a1d8c01 Mon Sep 17 00:00:00 2001
From: Malena Ebert
 <63863184+malena-ebert-sonarsource@users.noreply.github.com>
Date: Thu, 15 Apr 2021 12:15:18 +0200
Subject: [PATCH] BUILD-906 Sign published artifacts

---
 .cirrus.yml  |  2 ++
 build.gradle | 26 ++++++++++++++++++++++++--
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/.cirrus.yml b/.cirrus.yml
index 3cda7fecd42..762bc4258f4 100644
--- a/.cirrus.yml
+++ b/.cirrus.yml
@@ -112,6 +112,8 @@ build_task:
     # Depth of 1 is not enough because it would fail the build in case of consecutive pushes
     # (example of error: "Hard resetting to c968ecaf7a1942dacecd78480b3751ac74d53c33...Failed to force reset to c968ecaf7a1942dacecd78480b3751ac74d53c33: object not found!")
     CIRRUS_CLONE_DEPTH: 50
+    ORG_GRADLE_PROJECT_signingKey: ENCRYPTED[!54147bd7fb86bbe802fd432fab7d53bee19e71fe642d7b57703ec985b10f1976602adc743a906ea9851e5dd793be540c!]
+    ORG_GRADLE_PROJECT_signingPassword: ENCRYPTED[!15c41fa6fdc13ace4a011693a002664593e038f91a2597fad40f4295f0de9858a587c504f5b9f1f97250f19fd5f4a655!]
   script:
     - ./private/cirrus/cirrus-build.sh
   on_failure:
diff --git a/build.gradle b/build.gradle
index 32e8d46f370..4a73c774182 100644
--- a/build.gradle
+++ b/build.gradle
@@ -4,7 +4,7 @@ plugins {
   id 'com.github.hierynomus.license' version '0.15.0'
   id 'com.github.johnrengelman.shadow' version '5.2.0' apply false
   id 'com.google.protobuf' version '0.8.13' apply false
-  id 'com.jfrog.artifactory' version '4.18.0'
+  id 'com.jfrog.artifactory' version '4.21.0'
   id 'com.github.node-gradle.node' version '2.2.4' apply false
   id 'io.spring.dependency-management' version '1.0.10.RELEASE'
   id "com.asarkar.gradle.build-time-tracker" version "2.0.4" apply false
@@ -107,7 +107,7 @@ allprojects {
 
   artifactory {
     clientConfig.setIncludeEnvVars(true)
-    clientConfig.setEnvVarsExcludePatterns('*password*,*PASSWORD*,*secret*,*MAVEN_CMD_LINE_ARGS*,sun.java.command,*token*,*TOKEN*,*LOGIN*,*login*,*key*,*KEY*')
+    clientConfig.setEnvVarsExcludePatterns('*password*,*PASSWORD*,*secret*,*MAVEN_CMD_LINE_ARGS*,sun.java.command,*token*,*TOKEN*,*LOGIN*,*login*,*key*,*KEY*,*signing*')
     contextUrl = System.getenv('ARTIFACTORY_URL')
     publish {
       repository {
@@ -162,6 +162,7 @@ subprojects {
   apply plugin: 'jacoco'
   apply plugin: 'java'
   apply plugin: 'idea'
+  apply plugin: 'signing'
 
   sourceCompatibility = 1.8
   targetCompatibility = 1.8
@@ -572,6 +573,27 @@ subprojects {
       }
     }
   }
+
+  signing {
+    def signingKey = findProperty("signingKey")
+    def signingPassword = findProperty("signingPassword")
+    useInMemoryPgpKeys(signingKey, signingPassword)
+    required {
+      def branch = System.getenv()["CIRRUS_BRANCH"]
+      return (branch == 'master' || branch ==~ 'branch-[\\d.]+') &&
+             gradle.taskGraph.hasTask(":artifactoryPublish")
+    }
+    sign publishing.publications
+  }
+
+  tasks.withType(Sign) {
+    onlyIf {
+      def branch = System.getenv()["CIRRUS_BRANCH"]
+      return !artifactoryPublish.skip &&
+             (branch == 'master' || branch ==~ 'branch-[\\d.]+') &&
+             gradle.taskGraph.hasTask(":artifactoryPublish")
+    }
+  }
 }
 
 
-- 
2.39.5