[MGPG-120] New mojo sign-deployed (#88)

New mojo, "sign-deployed" that is able to sign already deployed artifacts.
Assuming there is no Maven project, hence mojo should not require project, just a list of artifacts.

---

https://issues.apache.org/jira/browse/MGPG-120

Author: cstamas

pom.xml

@@ -123,6 +123,13 @@ under the License.
       <version>${resolverVersion}</version>
       <scope>provided</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.maven.resolver</groupId>
+      <artifactId>maven-resolver-util</artifactId>
+      <version>${resolverVersion}</version>
+      <!-- This is needed to be in compile to work with Maven pre 3.9 -->
+      <scope>compile</scope>
+    </dependency>
     <dependency>
       <groupId>org.apache.maven.plugin-tools</groupId>
       <artifactId>maven-plugin-annotations</artifactId>

src/it/sign-deployed/invoker.properties

@@ -0,0 +1,19 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+invoker.goals = ${project.groupId}:${project.artifactId}:${project.version}:sign-deployed
+invoker.environmentVariables.MAVEN_GPG_PASSPHRASE = TEST

src/it/sign-deployed/remote-repo/org/foo/bar/1.0/bar-1.0-javadoc.jar

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>org.apache.maven.its.gpg.sadfs</groupId>
+  <artifactId>test</artifactId>
+  <version>1.0</version>
+  <packaging>jar</packaging>
+
+  <name>MGPG-12</name>
+  <description>
+    Tests the signing and deployment of a simple release JAR along with its POM.
+  </description>
+</project>

src/it/sign-deployed/remote-repo/org/foo/bar/1.0/bar-1.0-sources.jar

@@ -0,0 +1,20 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+url = file://remote-repo
+repositoryId = staging-1
+artifacts = org.foo:bar:pom:1.0,org.foo:bar:jar:1.0,org.foo:bar:zip:1.0,org.foo:bar:tar.gz:1.0,org.foo:bar:tar.gz:src:1.0

src/it/sign-deployed/remote-repo/org/foo/bar/1.0/bar-1.0-src.tar.gz

@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+var artifactDir = new File(basedir, "remote-repo/org/foo/bar/1.0")
+
+var expectedFiles = [
+    "bar-1.0.jar.asc",
+    "bar-1.0-sources.jar.asc",
+    "bar-1.0-javadoc.jar.asc",
+    "bar-1.0.pom.asc",
+    "bar-1.0.zip.asc",
+    "bar-1.0-src.tar.gz.asc",
+    "bar-1.0.tar.gz.asc"
+]
+
+for (String expectedFile : expectedFiles) {
+    var file = new File(artifactDir, expectedFile)
+
+    println "Checking for existence of $file"
+
+    if (!file.isFile()) {
+        throw new Exception("Missing file $file")
+    }
+}

src/it/sign-deployed/remote-repo/org/foo/bar/1.0/bar-1.0.jar

@@ -0,0 +1,41 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.maven.plugins.gpg;
+
+import java.io.IOException;
+import java.util.Collection;
+
+import org.eclipse.aether.RepositorySystemSession;
+import org.eclipse.aether.artifact.Artifact;
+import org.eclipse.aether.repository.RemoteRepository;
+
+/**
+ * Artifact collector SPI, that collects artifacts in some way from given {@link RemoteRepository}.
+ *
+ * @since 3.2.3
+ */
+public interface ArtifactCollectorSPI {
+    /**
+     * Returns collected artifacts or {@code null} if collection was not possible for any reason.
+     * <p>
+     * Collector should collect only <em>relevant artifacts</em>, those that are subject to signing.
+     */
+    Collection<Artifact> collectArtifacts(RepositorySystemSession session, RemoteRepository remoteRepository)
+            throws IOException;
+}

src/it/sign-deployed/remote-repo/org/foo/bar/1.0/bar-1.0.pom

@@ -58,7 +58,7 @@
 import org.eclipse.aether.repository.RemoteRepository;
 
 /**
- * Signs artifacts and installs the artifact in the remote repository.
+ * Signs artifacts and deploys the artifacts and signatures in the remote repository.
  *
  * @author Daniel Kulp
  * @since 1.0-beta-4