Update to Tycho 2.7.1 Bugfix release

[laeubi]

• Enable pgp signatures again
• Update to Tycho 2.7.1

@joakime is there a way to simulate a release (staging repo maybe?) so we can check that a deployment now contains valid signatures?

[olamy]

@laeubi once merged snapshots will deployed here https://oss.sonatype.org/content/repositories/jetty-snapshots/
does it work for you?

[laeubi]

The question is, will snapshots be pgp-signed as a "real" release is before deployed to maven-central?

[olamy]

The question is, will snapshots be pgp-signed as a "real" release is before deployed to maven-central?

usually when we stage a release it's too late to change something
per default not. But we can deploy manually snapshots with signing activated.
will that work for you?

[laeubi]

Yes a snapshot with signing would be enough.

[olamy]

@laeubi I have deployed manually snapshot with gpg signing activated.
let me know if it works for you. thanks

[laeubi]

@olamy thanks, I have checked the output and it looks fine now! 👍

[joakime]

@laeubi Why is tycho-p2-repository reaching out to a 3rd party server and failing if it cannot get a reply?

[INFO] Jetty :: Documentation ............................. SUCCESS [ 46.514 s]
[INFO] Jetty :: P2 ........................................ FAILURE [  1.124 s]
[INFO] Jetty :: Javadoc Build ............................. SKIPPED
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  11:13 min
[INFO] Finished at: 2022-06-16T14:59:24-05:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal org.eclipse.tycho:tycho-p2-repository-plugin:2.7.3:assemble-maven-repository (maven-p2-site) 
  on project jetty-p2: Fetching  PGP key failed: java.io.IOException: Server returned HTTP response code: 
  500 for URL: http://pgp.mit.edu/pks/lookup?op=get&search=0x818D9D68FB67BAC -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
[ERROR] 
[ERROR] After correcting the problems, you can resume the build with the command
[ERROR]   mvn <args> -rf :jetty-p2

How can we disable this use of pgp.mit.edu? As it is far too unreliable for our release process.

[laeubi]

Why is tycho-p2-repository reaching out to a 3rd party server and failing if it cannot get a reply?

It needs to fetch the PGP (public) key for the signed content, but this should be cached once it got the information once

How can we disable this use of pgp.mit.edu? As it is far too unreliable for our release process.

This is controlled by the property includePGPSignature, but as PGP signatures are important to validate the integrity of your artifacts I would recommend to include this so jetty is not show-up as unsigned content, but you can use a different keyserver with the keyserverurl e.g. https://keyserver.ubuntu.com is much more faster and reliable!

[joakime]

Why is tycho-p2-repository reaching out to a 3rd party server and failing if it cannot get a reply?

It needs to fetch the PGP (public) key for the signed content, but this should be cached once it got the information once

This information should already be present in the maven reactor, as the gpg plugin was just used to sign all of the artifacts.
What details are you wanting from the keyserver that are not available already to your plugin?

How can we disable this use of pgp.mit.edu? As it is far too unreliable for our release process.

This is controlled by the property includePGPSignature, but as PGP signatures are important to validate the integrity of your artifacts I would recommend to include this so jetty is not show-up as unsigned content, but you can use a different keyserver with the keyserverurl e.g. https://keyserver.ubuntu.com is much more faster and reliable!

pgp.mit.edu fails in about 60% of our builds, and as far I can tell, there's no caching that is helping with this.
Every build is subject to failure, as every build seems to want to talk to pgp.mit.edu.

Looking at the error, I wonder if it's getting confused by my multiple gpg keys.
I have keys for on my system for about 13 different identities. The search URL points to ?op=get&search=0x818D9D68FB67BAC which identifies as a different key then what I used to gpg sign the artifacts for the release. The key 0x818D9.. is my [email protected] key, not my eclipse signing key, which should have been 0x2D0E1F... for [email protected].

Maven builds are using the gpg plugin to sign the artifacts, using the gpg.keyname maven property to select the appropriate key, which is configured in my $HOME/.m2/settings.xml against the same profile used to build/release eclipse projects, and the same keyname used to sign my git commits to eclipse projects.

[laeubi]

This information should already be present in the maven reactor, as the gpg plugin was just used to sign all of the artifacts.
What details are you wanting from the keyserver that are not available already to your plugin?

The main point is that it must work with any plugin (not only the one you are currently signing). Beside that, it makes sure the information is at least available from one keyserver later on.

Looking at the error, I wonder if it's getting confused by my multiple gpg keys.

I think there was an error that tycho tries to include all keys with the pgp plugin but this mojo should not be affected by this. so probably the generated site includes more than we think, can you check this?

Maven builds are using the gpg plugin to sign the artifacts, using the gpg.keyname maven property to select the appropriate key

As mentioned above, this is only one key but wen need all used in the site, beside that, due to maven internals, is not easy to "reuse" other mojos configuration reliable.

pgp.mit.edu fails in about 60% of our builds, and as far I can tell, there's no caching that is helping with this.

Just use the ubuntu mirror, should be much better, the keys are cached in the local maven repo, so if you clear this sometimes... of course there is always a chance of bug, so if you have any steps to reproduce please let me know!

[laeubi]

@joakime I have added a fix to tycho now, if you like you can try out the current tycho snapshot build if it improves the situation, I also prepare a release for Tycho 2.7.4 that will include this fix.