Release 1.4.1

Packaging fixes:

- Fixed dependency declarations so API dependencies are correctly
  propagated as compile-time dependencies of dependent projects.
- Fixed Specification-Version release date in webauthn-server-core jar
  manifest.

Author: emlun

.github/workflows/master.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [8, 10, 11, 12]
+        java: [8, 11]
 
     steps:
     - name: Check out code

.github/workflows/release-verify-signatures.yml

@@ -11,14 +11,9 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [10, 11, 12]
+        java: [11]
 
     steps:
-    - name: Download signatures
-      run: |
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${GITHUB_REF}/webauthn-server-attestation-${GITHUB_REF}.jar.asc
-        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${GITHUB_REF}/webauthn-server-core-${GITHUB_REF}.jar.asc
-
     - name: check out code
       uses: actions/checkout@v1
 
@@ -31,9 +26,24 @@ jobs:
       run: ./gradlew jar
 
     - name: Fetch keys
-      run: gpg --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+      run: gpg --no-default-keyring --keyring yubico --recv-keys 57A9DEED4C6D962A923BB691816F3ED99921835E
+
+    - name: Verify signatures from GitHub release
+      run: |
+        export TAGNAME=${GITHUB_REF#refs/tags/}
 
-    - name: Verify signatures
+        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
+        wget https://github.com/${GITHUB_REPOSITORY}/releases/download/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
+
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar
+
+    - name: Verify signatures from Maven Central
       run: |
-        gpg --verify webauthn-server-attestation-${GITHUB_REF}.jar.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${GITHUB_REF}.jar
-        gpg --verify webauthn-server-core-${GITHUB_REF}.jar.asc webauthn-server-core/build/libs/webauthn-server-core-${GITHUB_REF}.jar
+        export TAGNAME=${GITHUB_REF#refs/tags/}
+
+        wget -O webauthn-server-core-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-core/${TAGNAME}/webauthn-server-core-${TAGNAME}.jar.asc
+        wget -O webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc https://repo1.maven.org/maven2/com/yubico/webauthn-server-attestation/${TAGNAME}/webauthn-server-attestation-${TAGNAME}.jar.asc
+
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-attestation-${TAGNAME}.jar.mavencentral.asc webauthn-server-attestation/build/libs/webauthn-server-attestation-${TAGNAME}.jar
+        gpg --no-default-keyring --keyring yubico --verify webauthn-server-core-${TAGNAME}.jar.mavencentral.asc webauthn-server-core/build/libs/webauthn-server-core-${TAGNAME}.jar

.github/workflows/test.yml

@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        java: [8, 10, 11, 12]
+        java: [8, 11]
 
     steps:
     - name: Check out code

.gitignore

@@ -19,5 +19,4 @@ target/
 
 # Gradle
 .gradle/
-/build/
-/*/build/
+build/

.travis.yml

@@ -7,7 +7,6 @@ branches:
 jdk:
   - oraclejdk11
   - openjdk8
-  - openjdk10
   - openjdk11
 
 script:

NEWS

@@ -1,3 +1,12 @@
+== Version 1.4.1 ==
+
+Packaging fixes:
+
+* Fixed dependency declarations so API dependencies are correctly propagated as
+  compile-time dependencies of dependent projects.
+* Fixed Specification-Version release date in webauthn-server-core jar manifest.
+
+
 == Version 1.4.0 ==
 
 Changes:

build.gradle

@@ -7,9 +7,9 @@ buildscript {
   }
 }
 plugins {
-  id 'com.github.kt3k.coveralls' version '2.8.2'
+  id 'com.github.kt3k.coveralls' version '2.8.4'
   id 'io.codearte.nexus-staging' version '0.9.0'
-  id 'io.franzbecker.gradle-lombok' version '1.14'
+  id 'io.franzbecker.gradle-lombok' version '3.1.0'
 }
 
 import io.franzbecker.gradle.lombok.LombokPlugin
@@ -34,14 +34,14 @@ wrapper {
 }
 
 allprojects {
+  ext.snapshotSuffix = "<count>.g<sha>-SNAPSHOT<dirty>"
+  ext.dirtyMarker = "-DIRTY"
+
   apply plugin: 'com.cinnober.gradle.semver-git'
   apply plugin: 'idea'
 
   group = 'com.yubico'
 
-  ext.snapshotSuffix = "<count>.g<sha>-SNAPSHOT<dirty>"
-  ext.dirtyMarker = "-DIRTY"
-
   idea.module {
     downloadJavadoc = true
     downloadSources = true
@@ -63,7 +63,9 @@ subprojects {
   }
 }
 
-evaluationDependsOnChildren()
+allprojects {
+  evaluationDependsOnChildren()
+}
 
 task assembleJavadoc(type: Sync) {
   from("docs/index.html") {
@@ -88,6 +90,10 @@ subprojects { project ->
     reproducibleFileOrder = true
   }
 
+  tasks.withType(Sign) {
+    it.dependsOn check
+  }
+
   test {
     testLogging {
       showStandardStreams = isCiBuild

doc/releasing.md

@@ -0,0 +1,120 @@
+Release procedure
+====================
+
+Release candidate versions
+---
+
+ 1. Make sure release notes in `NEWS` are up to date.
+
+ 2. Run the tests one more time:
+
+    ```
+    $ ./gradlew clean check
+    ```
+
+ 3. Tag the head commit with an `X.Y.Z-RCN` tag:
+
+    ```
+    $ git tag -a -s 1.4.0-RC1 -m "Pre-release 1.4.0-RC1"
+    ```
+
+    No tag body needed.
+
+ 4. Publish to Sonatype Nexus:
+
+    ```
+    $ ./gradlew publish closeAndReleaseRepository
+    ```
+
+ 5. Push to GitHub:
+
+    ```
+    $ git push origin master 1.4.0-RC1
+    ```
+
+ 6. Make GitHub release.
+
+    - Use the new tag as the release tag
+    - Check the pre-release checkbox
+    - Copy the release notes from `NEWS` into the GitHub release notes; reformat
+      from ASCIIdoc to Markdown and remove line wraps. Include only
+      changes/additions since the previous release or pre-release.
+    - Attach the signature files from
+      `webauthn-server-attestation/build/libs/webauthn-server-attestation-X.Y.Z-RCN.jar.asc`
+      and
+      `webauthn-server-core/build/libs/webauthn-server-core-X.Y.Z-RCN.jar.asc`.
+    - Note which JDK version was used to build the artifacts.
+
+
+Release versions
+---
+
+ 1. Make sure release notes in `NEWS` are up to date.
+
+ 2. Make a no-fast-forward merge from the last (non release candidate) release
+    to the commit to be released:
+
+    ```
+    $ git checkout 1.3.0
+    $ git checkout -b release-1.4.0
+    $ git merge --no-ff master
+    ```
+
+    Copy the release notes for this version from `NEWS` into the merge commit
+    message; reformat it from ASCIIdoc to Markdown and re-wrap line widths at
+    the conventional 72 columns (see
+    [this](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
+    and [this](https://chris.beams.io/posts/git-commit/)). See previous release
+    commits for examples.
+
+    ```
+    $ git checkout master
+    $ git merge --ff-only release-1.4.0
+    $ git branch -d release-1.4.0
+    ```
+
+ 3. Remove the "(unreleased)" tag from `NEWS`.
+
+ 4. Amend this change into the merge commit:
+
+    ```
+    $ git add NEWS
+    $ git commit --amend --reset-author
+    ```
+
+ 5. Run the tests one more time:
+
+    ```
+    $ ./gradlew clean check
+    ```
+
+ 6. Tag the merge commit with an `X.Y.Z` tag:
+
+    ```
+    $ git tag -a -s 1.4.0 -m "Release 1.4.0"
+    ```
+
+    No tag body needed since that's included in the commit.
+
+ 7. Publish to Sonatype Nexus:
+
+    ```
+    $ ./gradlew publish closeAndReleaseRepository
+    ```
+
+ 8. Push to GitHub:
+
+    ```
+    $ git push origin master 1.4.0
+    ```
+
+ 9. Make GitHub release.
+
+    - Use the new tag as the release tag
+    - Copy the release notes from `NEWS` into the GitHub release notes; reformat
+      from ASCIIdoc to Markdown and remove line wraps. Include all changes since
+      the previous release (not just changes since the previous pre-release).
+    - Attach the signature files from
+      `webauthn-server-attestation/build/libs/webauthn-server-attestation-X.Y.Z.jar.asc`
+      and `webauthn-server-core/build/libs/webauthn-server-core-X.Y.Z.jar.asc`.
+    - Note which JDK version was used to build the artifacts.

settings.gradle

@@ -4,3 +4,7 @@ include ':webauthn-server-core'
 include ':webauthn-server-demo'
 include ':yubico-util'
 include ':yubico-util-scala'
+
+include ':test-dependent-projects:java-dep-webauthn-server-attestation'
+include ':test-dependent-projects:java-dep-webauthn-server-core'
+include ':test-dependent-projects:java-dep-yubico-util'

test-dependent-projects/build.gradle.kts

@@ -0,0 +1,4 @@
+plugins {
+    // This is needed because the root project needs the sourceCompatibility property to exist.
+    `java-library`
+}