Skip to content

Refresh Java language client docs for sigstore-java 2.0.0#429

Open
smythp wants to merge 2 commits intosigstore:mainfrom
smythp:java-refresh-2026-04-23
Open

Refresh Java language client docs for sigstore-java 2.0.0#429
smythp wants to merge 2 commits intosigstore:mainfrom
smythp:java-refresh-2026-04-23

Conversation

@smythp
Copy link
Copy Markdown
Collaborator

@smythp smythp commented Apr 24, 2026

Summary

Refreshes content/en/language_clients/java.md to reflect sigstore-java 2.0.0 (released Nov 2025). The existing page pinned the 1.0.0-era plugin versions and was missing several features the library now offers.

Content updates

  • Bump Maven and Gradle plugin versions 1.0.0 → 2.0.0
  • Add Requirements section (Java 11+, Gradle 7.5+)
  • Add DSSE attestation section with a Rekor V2 staging example
  • Add TUF integration and GitHub Actions OIDC support to features
  • Add a "Signing individual files" subsection for the sign-base Gradle plugin
  • Add a stable-API note (only KeylessSigner and KeylessVerifier are guaranteed stable per the upstream README)
  • Add a Known Limitations section (offline signing, multi-module Maven, 10-minute OIDC token window)

Fixes to existing examples
The API Usage snippets in the current page had a few bugs that would prevent them from compiling:

  • Missing .build() call at the end of the VerificationOptions chain
  • Spurious new keyword on the KeylessVerifier.builder() call (it's a static builder)
  • Missing semicolons and incomplete imports
    Fixed and verified against the current library API.

Tone / style

  • Introduce OIDC, DSSE, TUF, Rekor on first mention with short definitions and links to primary sources
  • Switch Maven plugin code fence from java to xml
  • Trim hedging language ("we recommend using the latest version" → "use the latest version")
  • Match bullet style with sibling language-client pages

Test plan

  • Render the Hugo site locally and confirm the page renders correctly
  • Verify all links resolve (openid.net, DSSE repo, TUF home, Javadoc, Rekor logging page, release notes)
  • Confirm the Java and Gradle code snippets compile / evaluate as written
  • Confirm the Maven and Gradle plugin versions and coordinates against the 2.0.0 release

Notes for reviewers

Version numbers and install snippets were cross-checked against the sigstore-java 2.0.0 release and upstream README at the time of writing. Code example fixes are based on the current public API surface documented in the Javadoc — please flag if any of the examples here drift from preferred usage patterns in the project.

@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 24, 2026
edited
Loading

Deploy Preview for docssigstore ready!

Name Link
🔨 Latest commit 0859810
🔍 Latest deploy log https://app.netlify.com/projects/docssigstore/deploys/69ed2eebd1e29e000825ade9
😎 Deploy Preview https://deploy-preview-429--docssigstore.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@smythp smythp marked this pull request as draft April 25, 2026 13:31
smythp added 2 commits April 25, 2026 17:15
@smythp
Refresh Java language client docs for sigstore-java 2.0.0
5a8839b 
Generated via mill crank doc_refresh. Changes:
- Bump Maven/Gradle plugin versions 1.0.0 -> 2.0.0
- Add Requirements section (Java 11+, Gradle 7.5+)
- Add DSSE attestation section with Rekor V2 example
- Add TUF integration and GitHub Actions OIDC to features
- Add 'Signing individual files' subsection with sign-base plugin
- Add stable-API note (only KeylessSigner / KeylessVerifier guaranteed)
- Add Known Limitations section
- Fix compile errors in API Usage examples (missing .build(),
  incorrect 'new' keyword on builder, missing semicolons)
- Complete imports in all Java snippets
- Switch Maven code fence from java to xml
- Introduce OIDC/DSSE/TUF/Rekor with definitions and links on
  first mention; trim marketing fluff

Signed-off-by: Patrick Smyth <patrick.smyth@chainguard.dev>
@smythp
Address review findings on Java client docs
0859810 
Independent review (codex agent against the live PR diff) caught real
factual issues that the doc_refresh chain's accuracy stage missed.
Cross-checked each finding against sigstore-java v2.0.0 source before
applying.

Blocker fixes:
- Fix VerificationOptions import: dev.sigstore.verification.VerificationOptions
  -> dev.sigstore.VerificationOptions (the snippet would not compile as
  written; verified against
  sigstore-java/src/main/java/dev/sigstore/VerificationOptions.java)
- Fix sign-base SigstoreSignFilesTask reference: use FQCN
  dev.sigstore.sign.tasks.SigstoreSignFilesTask::class so the Gradle
  snippet works without an import (verified against
  sigstore-gradle/sigstore-gradle-sign-base-plugin)
- Soften stable API note to match upstream README: '... and the classes
  exposed by those APIs' (was overstated as only KeylessSigner /
  KeylessVerifier)

Additions and clarifications:
- Add GitHub Actions section with required OIDC permissions block
  (permissions: id-token: write, contents: read), matching the snippet
  in upstream Maven and Gradle READMEs
- Add Gradle plugin version to the sign-base snippet
- Expand the offline limitation to cover both signing and verification,
  noting that verification supports a custom trusted root for restricted
  environments

Signed-off-by: Patrick Smyth <patrick.smyth@chainguard.dev>
@smythp smythp force-pushed the java-refresh-2026-04-23 branch from 28d7ac3 to 0859810 Compare April 25, 2026 21:15
@smythp smythp marked this pull request as ready for review April 25, 2026 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@smythp