diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..36fde6c --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,44 @@ +name: Build +on: + [push] +jobs: + build: + name: Build and Test + runs-on: ubuntu-latest + if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')" + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-java@v1 + with: + java-version: 11 + - uses: actions/cache@v2 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-maven- + - name: Ensure to use tagged version + if: startsWith(github.ref, 'refs/tags/') + run: mvn versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/} + - name: Build and Test + id: buildAndTest + run: mvn -B clean install jacoco:report -Pcoverage,dependency-check + - name: Upload code coverage report + id: codacyCoverageReporter + run: bash <(curl -Ls https://coverage.codacy.com/get.sh) + env: + CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }} + continue-on-error: true + - uses: actions/upload-artifact@v2 + with: + name: artifacts + path: target/*.jar + - name: Create Release + uses: actions/create-release@v1 + if: startsWith(github.ref, 'refs/tags/') + env: + GITHUB_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} # release as "cryptobot" + with: + tag_name: ${{ github.ref }} + release_name: Release ${{ github.ref }} + prerelease: true \ No newline at end of file diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 96422c2..43af013 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,13 +1,13 @@ + name: "CodeQL" on: push: - branches: [develop, master] + branches: [develop, main] pull_request: - # The branches below must be a subset of the branches above branches: [develop] schedule: - - cron: '0 0 * * 4' + - cron: '0 6 * * 0' jobs: analyse: @@ -15,30 +15,23 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout repository - uses: actions/checkout@v2 + - uses: actions/checkout@v2 with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. fetch-depth: 2 - uses: actions/setup-java@v1 with: java-version: 11 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - - # Initializes the CodeQL tools for scanning. + - uses: actions/cache@v2 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-maven- - name: Initialize CodeQL uses: github/codeql-action/init@v1 with: languages: java - - # Build project - name: Build and Test - run: mvn -B install - + run: mvn -B install -DskipTests - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 + uses: github/codeql-action/analyze@v1 \ No newline at end of file diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml new file mode 100644 index 0000000..f22b7a9 --- /dev/null +++ b/.github/workflows/publish-central.yml @@ -0,0 +1,37 @@ +name: Publish to Maven Central +on: + workflow_dispatch: + inputs: + tag: + description: 'Tag' + required: true + default: '0.0.0' +jobs: + publish: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + with: + ref: "refs/tags/${{ github.event.inputs.tag }}" + - uses: actions/setup-java@v1 + with: + java-version: 11 + server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml + server-username: MAVEN_USERNAME # env variable for username in deploy + server-password: MAVEN_PASSWORD # env variable for token in deploy + gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import + gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase + - uses: actions/cache@v2 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-maven- + - name: Enforce project version ${{ github.event.inputs.tag }} + run: mvn versions:set -B -DnewVersion=${{ github.event.inputs.tag }} + - name: Deploy + run: mvn deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress + env: + MAVEN_USERNAME: ${{ secrets.OSSRH_USERNAME }} + MAVEN_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} + MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} \ No newline at end of file diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml new file mode 100644 index 0000000..32a3041 --- /dev/null +++ b/.github/workflows/publish-github.yml @@ -0,0 +1,40 @@ +name: Publish to GitHub Packages +on: + release: + types: [published] +jobs: + publish: + runs-on: ubuntu-latest + if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions + steps: + - uses: actions/checkout@v2 + - uses: actions/setup-java@v1 + with: + java-version: 11 + gpg-private-key: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import + gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase + - uses: actions/cache@v2 + with: + path: ~/.m2/repository + key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }} + restore-keys: | + ${{ runner.os }}-maven- + - name: Enforce project version ${{ github.event.release.tag_name }} + run: mvn versions:set -B -DnewVersion=${{ github.event.release.tag_name }} + - name: Deploy + run: mvn deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }} + - name: Slack Notification + uses: rtCamp/action-slack-notify@v2 + env: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }} + SLACK_USERNAME: 'Cryptobot' + SLACK_ICON: + SLACK_ICON_EMOJI: ':bot:' + SLACK_CHANNEL: 'cryptomator-desktop' + SLACK_TITLE: "Published ${{ github.event.repository.name }} ${{ github.event.release.tag_name }}" + SLACK_MESSAGE: "Ready to ." + SLACK_FOOTER: + MSG_MINIMAL: true \ No newline at end of file diff --git a/pom.xml b/pom.xml index 47c8b49..f6f53cb 100644 --- a/pom.xml +++ b/pom.xml @@ -2,7 +2,7 @@ 4.0.0 org.cryptomator cryptolib - 1.4.0 + 1.4.1 Cryptomator Crypto Library This library contains all cryptographic functions that are used by Cryptomator. https://github.com/cryptomator/cryptolib @@ -14,11 +14,19 @@ + UTF-8 + + 2.8.6 - 29.0-android - 1.4.0 + 30.1-jre + 1.4.1 1.7.30 - UTF-8 + + + 5.7.1 + 3.7.7 + 2.2 + 1.27 @@ -39,14 +47,6 @@ - - - bintray - bintray - https://jcenter.bintray.com - - - org.cryptomator @@ -76,19 +76,19 @@ org.junit.jupiter junit-jupiter - 5.7.0 + ${junit.jupiter.version} test org.mockito mockito-core - 3.5.11 + ${mockito.version} test org.hamcrest hamcrest - 2.2 + ${hamcrest.version} test @@ -100,27 +100,45 @@ org.openjdk.jmh jmh-core - 1.25.2 + ${jmh.version} test org.openjdk.jmh jmh-generator-annprocess - 1.25.2 + ${jmh.version} test + + org.apache.maven.plugins + maven-enforcer-plugin + 3.0.0-M3 + + + enforce-java + + enforce + + + + + You need at least JDK 11.0.3 to build this project. + [11.0.3,) + + + + + + maven-compiler-plugin 3.8.1 - 7 - 1.7 - 1.7 - 8 + 8 UTF-8 true @@ -142,35 +160,61 @@ + + maven-source-plugin + 3.2.1 + + + attach-sources + + jar-no-fork + + + + + + maven-javadoc-plugin + 3.2.0 + + + attach-javadocs + + jar + + + + + + + + apiNote + a + API Note: + + + implSpec + a + Implementation Requirements: + + + implNote + a + Implementation Note: + + param + return + throws + since + version + serialData + see + + + - - intellij - - - false - - idea.maven.embedder.version - - - - - - org.apache.maven.plugins - maven-compiler-plugin - 3.8.1 - - 8 - 1.8 - 1.8 - - - - - - dependency-check @@ -178,7 +222,7 @@ org.owasp dependency-check-maven - 6.0.1 + 6.1.0 24 0 @@ -213,6 +257,12 @@ prepare-agent + + report + + report + + @@ -220,61 +270,67 @@ - release - - - bintray-jcenter - https://api.bintray.com/maven/cryptomator/maven/cryptolib/;publish=1 - - + sign - maven-source-plugin - 3.2.1 + maven-gpg-plugin + 1.6 - attach-sources + sign-artifacts + verify - jar-no-fork + sign + + + --pinentry-mode + loopback + + + + + + + + deploy-central + + + ossrh + Maven Central + https://oss.sonatype.org/service/local/staging/deploy/maven2/ + + + + - maven-javadoc-plugin - 3.2.0 - - - attach-javadocs - - jar - - - + org.sonatype.plugins + nexus-staging-maven-plugin + 1.6.8 + true - 1.7 + ossrh + https://oss.sonatype.org/ + true - - maven-dependency-plugin - 3.1.2 - - - generate-dependency-list - prepare-package - - list - - - runtime - ${project.build.directory}/dependency-list.txt - - - - + + + deploy-github + + + github + GitHub Packages + https://maven.pkg.github.com/cryptomator/cryptolib + + + diff --git a/src/test/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImplTest.java b/src/test/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImplTest.java index 1f1b8de..0de668b 100644 --- a/src/test/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImplTest.java +++ b/src/test/java/org/cryptomator/cryptolib/v2/FileHeaderCryptorImplTest.java @@ -17,6 +17,7 @@ import org.junit.jupiter.api.BeforeEach; import org.junit.jupiter.api.Test; +import javax.crypto.Cipher; import javax.crypto.SecretKey; import javax.crypto.spec.GCMParameterSpec; import javax.crypto.spec.SecretKeySpec; @@ -29,7 +30,7 @@ public class FileHeaderCryptorImplTest { private static final SecureRandom RANDOM_MOCK = SecureRandomMock.NULL_RANDOM; - private static final SecureRandom ANTI_REUSE_PRNG = SecureRandomMock.cycle((byte) 0x13, (byte) 0x37); + private static final SecureRandom ANTI_REUSE_PRNG = SecureRandomMock.PRNG_RANDOM; private FileHeaderCryptorImpl headerCryptor; @@ -38,10 +39,12 @@ public void setup() { SecretKey encKey = new SecretKeySpec(new byte[32], "AES"); headerCryptor = new FileHeaderCryptorImpl(encKey, RANDOM_MOCK); - // init cipher with distinct IV to avoid cipher-internal anti-reuse checking + // create new (unused) cipher, just to cipher.init() internally. This is an attempt to avoid + // InvalidAlgorithmParameterExceptions due to IV-reuse, when the actual unit tests use constant IVs byte[] nonce = new byte[GCM_NONCE_SIZE]; ANTI_REUSE_PRNG.nextBytes(nonce); - CipherSupplier.AES_GCM.forEncryption(encKey, new GCMParameterSpec(GCM_TAG_SIZE * Byte.SIZE, nonce)); + Cipher cipher = CipherSupplier.AES_GCM.forEncryption(encKey, new GCMParameterSpec(GCM_TAG_SIZE * Byte.SIZE, nonce)); + Assertions.assertNotNull(cipher); } @Test