Add sigstore to FINOS parent pom

[maoo]

Checkout https://www.csoonline.com/article/3662782/sigstore-explained-how-it-helps-secure-the-software-supply-chain.html to know what Sigstore is and why it's important to use it.

For Maven, Sonatype wrote a useful blogpost - https://blog.sonatype.com/maven-central-and-sigstore

We'll start by adding the Sigstore Maven Plugin into this FINOS Parent pom, so that all FINOS hosted projects that build with Maven (and Gradle) can take advantage of it.

Code will be developed (and is already available) on branch https://github.com/finos/finos-parent-pom/tree/sigstore

[maoo]

I'm trying to run the snapshot deployment, but it fails, attaching logs:

$ mvn deploy -Psigstore-release -DrepoServerHost=oss.sonatype.org

[INFO] Scanning for projects...
[INFO] 
[INFO] --------------------------< org.finos:finos >---------------------------
[INFO] Building The FINOS Parent POM 5-SNAPSHOT
[INFO] --------------------------------[ pom ]---------------------------------
[INFO] 
[INFO] --- maven-enforcer-plugin:1.4.1:enforce (default) @ finos ---
[INFO] 
[INFO] --- maven-install-plugin:3.0.0-M1:install (default-install) @ finos ---
[INFO] Installing /Users/m/w/projects/finos-parent-pom/pom.xml to /Users/m/.m2repo/org/finos/finos/5-SNAPSHOT/finos-5-SNAPSHOT.pom
[INFO] 
[INFO] --- sigstore-maven-plugin:0.0.17:sign (default) @ finos ---
[INFO] Using /Users/m/.gnupg as GPG homedir: (like using gpg --homedir <homedir>
[INFO] generating keypair using EC with secp256r1 parameters
Please open the following address in your browser:
  https://oauth2.sigstore.dev/auth/auth?client_id=sigstore&code_challenge=0pEWyaVdgXgPxlV3pFSdD_mA04oJxDQCtL40Hcq8Piw&code_challenge_method=S256&redirect_uri=http://localhost:49179/Callback&response_type=code&scope=openid%20email
Attempting to open that address in the default browser now...
[INFO] Signing subject '[email protected]' as proof of possession of private key
[INFO] Requesting signing certificate
[INFO] Parsing signing certificate
[INFO] Writing signing certificate to /Users/m/w/projects/finos-parent-pom/target/finos-5-SNAPSHOT.pom.pem
[INFO] Created entry in transparency log for finos-5-SNAPSHOT.pom @ 'https://rekor.sigstore.dev/api/v1/log/entries/f15e608fe625a2b2a91f3f8525ec259479f14765909abc14e911fca0b4aed3dc'
Cannot connect to server. Have you started it?
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  7.485 s
[INFO] Finished at: 2022-06-23T10:57:29+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal dev.sigstore.maven.plugins:sigstore-maven-plugin:0.0.17:sign (default) on project finos: Error signing artifact /Users/m/w/projects/finos-parent-pom/target/finos-5-SNAPSHOT.pom.: java.net.SocketException: No such file or directory; errno=2 -> [Help 1]
[ERROR] 
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR] 
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException

The file /Users/m/w/projects/finos-parent-pom/target/finos-5-SNAPSHOT.pom exists, but it seems that there is a trailing . character, which may be causing the issue.

Below I'm pasting my java and mvn versions:

$ java -version
java version "11.0.8" 2020-07-14 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.8+10-LTS)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.8+10-LTS, mixed mode)

$ mvn -v
Apache Maven 3.8.4 (9b656c72d54e5bacbed989b64718c159fe39b537)
Maven home: /usr/local/Cellar/maven/3.8.4/libexec
Java version: 17.0.2, vendor: Homebrew, runtime: /usr/local/Cellar/openjdk/17.0.2/libexec/openjdk.jdk/Contents/Home
Default locale: en_GB, platform encoding: UTF-8
OS name: "mac os x", version: "12.4", arch: "x86_64", family: "mac"