Comply with optional password in scala-cli-signing (#1982)

* Comply with scala-cli-signing using optional passwords * Make private key signing stable * NIT: Remove extra fromRoot clauses

Author: MaciejG604

modules/cli/src/main/scala/scala/cli/commands/config/Config.scala

@@ -74,7 +74,7 @@ object Config extends ScalaCommand[ConfigOptions] {
  val (pgpPublic, pgpSecret0) =
  ThrowawayPgpSecret.pgpSecret(
  mail,
- password,
+ Some(password),
  logger,
  coursierCache,
  () =>

modules/cli/src/main/scala/scala/cli/commands/config/ThrowawayPgpSecret.scala

@@ -30,7 +30,7 @@ object ThrowawayPgpSecret {
  }
  def pgpSecret(
  mail: String,
- password: Secret[String],
+ password: Option[Secret[String]],
  logger: Logger,
  cache: FileCache[Task],
  javaCommand: () => String,
@@ -46,7 +46,7 @@ object ThrowawayPgpSecret {
  secKey.toString,
  mail,
  logger.verbosity <= 0,
- password.value,
+ password.map(_.value),
  cache,
  logger,
  javaCommand,

modules/cli/src/main/scala/scala/cli/commands/pgp/PgpProxy.scala

@@ -15,28 +15,34 @@ class PgpProxy {
  secKey: String,
  mail: String,
  quiet: Boolean,
- password: String,
+ passwordOpt: Option[String],
  cache: FileCache[Task],
  logger: Logger,
  javaCommand: () => String,
  signingCliOptions: bo.ScalaSigningCliOptions
  ): Either[BuildException, Int] = {
+
+ val (passwordOption, extraEnv) = passwordOpt match
+ case Some(value) =>
+ (
+ Seq("--password", s"env:SCALA_CLI_RANDOM_KEY_PASSWORD"),
+ Map("SCALA_CLI_RANDOM_KEY_PASSWORD" -> value)
+ )
+ case None => (Nil, Map.empty)
  val quietOptions = Nil
  (new PgpCreateExternal).tryRun(
  cache,
  Seq(
  "pgp",
  "create",
  "--pub-dest",
- pubKey.toString,
+ pubKey,
  "--secret-dest",
- secKey.toString,
+ secKey,
  "--email",
- mail,
- "--password",
- s"env:SCALA_CLI_RANDOM_KEY_PASSWORD"
- ) ++ quietOptions,
- Map("SCALA_CLI_RANDOM_KEY_PASSWORD" -> password),
+ mail
+ ) ++ passwordOption ++ quietOptions,
+ extraEnv,
  logger,
  allowExecve = false,
  javaCommand,

modules/cli/src/main/scala/scala/cli/commands/pgp/PgpProxyJvm.scala

@@ -18,17 +18,19 @@ class PgpProxyJvm extends PgpProxy {
  secKey: String,
  mail: String,
  quiet: Boolean,
- password: String,
+ passwordOpt: Option[String],
  cache: FileCache[Task],
  logger: Logger,
  javaCommand: () => String,
  signingCliOptions: bo.ScalaSigningCliOptions
  ): Either[BuildException, Int] = {
 
+ val password = passwordOpt.map(password => PasswordOption.Value(Secret(password)))
+
  PgpCreate.tryRun(
  PgpCreateOptions(
  email = mail,
- password = PasswordOption.Value(Secret(password)),
+ password = password,
  pubDest = Some(pubKey),
  secretDest = Some(secKey),
  quiet = quiet

modules/cli/src/main/scala/scala/cli/commands/publish/Publish.scala

@@ -876,9 +876,6 @@ object Publish extends ScalaCommand[PublishOptions] with BuildCommandHelpers {
  }
  }
 
- if (secretKeyPasswordOpt.isEmpty)
- logger.diagnostic("PGP signing with no password is not recommended since it's not stable")
-
  if (forceSigningBinary)
  (new scala.cli.internal.BouncycastleSignerMakerSubst).get(
  secretKeyPasswordOpt.fold(null)(_.toCliSigning),

modules/cli/src/main/scala/scala/cli/commands/publish/checks/PgpSecretKeyCheck.scala

@@ -198,7 +198,7 @@ final case class PgpSecretKeyCheck(
  val (pgpPublic, pgpSecret0) = value {
  ThrowawayPgpSecret.pgpSecret(
  value(maybeMail),
- passwordSecret,
+ Some(passwordSecret),
  logger,
  coursierCache,
  value(javaCommand),

modules/cli/src/main/scala/scala/cli/publish/BouncycastleSignerMaker.scala

@@ -19,7 +19,7 @@ class BouncycastleSignerMaker {
  ): Signer =
  BouncycastleSigner(
  secretKey.getBytes(),
- Option(passwordOrNull).fold(Secret(""))(_.get())
+ Option(passwordOrNull).map(_.get())
  )
  def maybeInit(): Unit =
  Security.addProvider(new BouncyCastleProvider)

modules/integration/src/test/scala/scala/cli/integration/PgpTests.scala

@@ -94,4 +94,82 @@ class PgpTests extends ScalaCliSuite {
  }
  }
 
+ test("pgp create") {
+ pubKeyInputs.fromRoot { root =>
+ os.proc(
+ TestUtil.cli,
+ "--power",
+ "pgp",
+ "create",
+ "--email",
+ "test@test.com",
+ "--password",
+ "value:1234",
+ "--dest",
+ "new_key"
+ )
+ .call(cwd = root, stdin = os.Inherit, stdout = os.Inherit)
+
+ val tmpFile = root / "test-file"
+ val tmpFileAsc = root / "test-file.asc"
+ os.write(tmpFile, "Hello")
+
+ os.proc(
+ TestUtil.cli,
+ "--power",
+ "pgp",
+ "sign",
+ "--password",
+ "value:1234",
+ "--secret-key",
+ "file:new_key.skr",
+ tmpFile
+ )
+ .call(cwd = root, stdin = os.Inherit, stdout = os.Inherit)
+
+ val verifyProc =
+ os.proc(TestUtil.cli, "--power", "pgp", "verify", "--key", "new_key.pub", tmpFileAsc)
+ .call(cwd = root, mergeErrIntoOut = true)
+
+ expect(verifyProc.out.text().contains(s"$tmpFileAsc: valid signature"))
+ }
+ }
+
+ test("pgp create no password") {
+ pubKeyInputs.fromRoot { root =>
+ os.proc(
+ TestUtil.cli,
+ "--power",
+ "pgp",
+ "create",
+ "--email",
+ "test@test.com",
+ "--dest",
+ "new_key"
+ )
+ .call(cwd = root, stdin = os.Inherit, stdout = os.Inherit)
+
+ val tmpFile = root / "test-file"
+ val tmpFileAsc = root / "test-file.asc"
+ os.write(tmpFile, "Hello")
+
+ os.proc(
+ TestUtil.cli,
+ "--power",
+ "pgp",
+ "sign",
+ "--secret-key",
+ "file:new_key.skr",
+ tmpFile
+ )
+ .call(cwd = root, stdin = os.Inherit, stdout = os.Inherit)
+
+ val verifyProc =
+ os.proc(TestUtil.cli, "--power", "pgp", "verify", "--key", "new_key.pub", tmpFileAsc)
+ .call(cwd = root, mergeErrIntoOut = true)
+
+ expect(verifyProc.out.text().contains(s"$tmpFileAsc: valid signature"))
+ }
+ }
+
 }