Improve SignRepositoryArtifactsMojo handling of unsigned content

- Treat content that is signed outside of the signing certificate's validity range as unsigned.
eclipse-tycho · May 23, 2024 · 22fdc08 · 22fdc08
1 parent c0e5459
commit 22fdc08
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/tycho-gpg-plugin/src/main/java/org/eclipse/tycho/gpg/SignRepositoryArtifactsMojo.java b/tycho-gpg-plugin/src/main/java/org/eclipse/tycho/gpg/SignRepositoryArtifactsMojo.java
@@ -252,6 +252,13 @@ private void handle(IArtifactDescriptor artifactDescriptor, File artifact, Proxy
                     try {
                         var signedContent = signedContentFactory.getSignedContent(artifact);
                         if (signedContent.isSigned()) {
+                            for (var signerInfo : signedContent.getSignerInfos()) {
+                                // Check that the signature was produced within the validity range of the certificate.
+                                // If invalid, this throws CertificateExpiredException or CertificateNotYetValidException.
+                                // That ensures we continue the logic that follows as if the content were not signed.
+                                signedContent.checkValidity(signerInfo);
+                            }
+
                             if (skipIfJarsigned) {
                                 return;
                             }